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ABSTRACT 


This dissertation investigates correlation immunity, avalanche features, and the bent cryp¬ 
tographic properties for generalized Boolean functions defined on V„ with values in 
We extend the concept of correlation immunity from the Boolean case to the generalized 
setting, and provide multiple construction methods for order 1 and higher correlation im¬ 
mune generalized Boolean functions. We establish necessary and sufficient conditions for 
generalized Boolean functions. Additionally, we discuss correlation immune and rotation 
symmetric generalized Boolean functions, introducing a construction method along the 
way. Using a graph-theoretic and probabilistic frame of reference, we subsequently es¬ 
tablish several, increasingly stringent, strict avalanche criteria along with a construction 
method for generalized Boolean functions. We introduce the notion of a uniform avalanche 
criterion and demonstrate that generalized Boolean functions that satisfy this criterion are 
also order 1 correlation immune and always have Boolean function components that are 
both order 1 correlation immune and satisfy the strict avalanche criterion. We subsequently 
investigate linear structures, directional derivatives and define a unit vector gradient for 
generalized Boolean function. We introduce the Walsh-Hadamard transform of a general¬ 
ized Boolean function along with the notion of generalized bent Boolean functions. We 
provide a construction of generalized bent Boolean functions with outputs in Zg and estab¬ 
lish necessary conditions for generalized bent Boolean functions. 
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Executive Summary 


The Nation that makes a great 
distinetion between its seholars and its 
warriors will have its thinking done by 
eowards and its fighting done by fools. 

Thueydides^^ 

This dissertation investigates cryptographie properties of generalized Boolean functions. 
Generalized Boolean functions, /:¥„—)■ are functions from the vector space of binary 
vectors of length n to a ring of integers modulo q. The classical Boolean case, where q = 2, 
has been studied extensively. Such Boolean functions are frequently used as components in 
cryptographic algorithms. Much less is currently known about the generalized case, where 
q>2. From a cryptologist’s point of view, generalized Boolean functions show promise in 
a number of cryptographic applications, including those in the quantum environment. 

In this dissertation we investigate correlation immunity, avalanche features, and the bent 
property of generalized Boolean functions. We extend the concept of correlation immu¬ 
nity to the generalized setting and establish several new results for correlation immune 
generalized Boolean functions. We present several algorithms for the construction of or¬ 
der 1, higher order, concatenated, and rotation symmetric correlation immune generalized 
Boolean functions. We also establish necessary and sufficient conditions for correlation im¬ 
mune generalized Boolean functions. Doing so is important because generalized Boolean 
functions suitable for cryptographic applications must not only be correlation immune, but 
all of their constituent Boolean function components must also be correlation immune. Us¬ 
ing a graph-theoretic and probabilistic frame of reference, we then investigate avalanche 
features of generalized Boolean functions. We establish several, increasingly stringent, 
avalanche criteria for generalized Boolean functions. This line of investigation culminates 
in the development of the uniform avalanche criterion (UAC). We demonstrate that gener¬ 
alized Boolean functions that satisfy the UAC are also order 1 correlation immune and con¬ 
tain Boolean function components all of which are order 1 correlation immune and satisfy 
the strict avalanche criterion (SAC). We investigate linear structures and directional deriva- 


XV 




lives of UAC compliant generalized Boolean functions. We also introduce and demonstrate 
the utility of the concept of a uniform generalized Boolean function unit vector gradient. 
Finally, we present a selection of results on generalized bent Boolean functions taken from 
the dissertation author’s previously published papers on the topic. In particular, we in¬ 
troduce the Walsh-Hadamard transform of generalized Boolean functions, and define the 
concept of a generalized bent Boolean function. We subsequently provide a construction of 
generalized bent Boolean functions with outputs in Zg, and establish necessary conditions 
for generalized bent Boolean functions. 
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CHAPTER 1: 
Introduction 


He who loves praetiee without theory 
is like the sailor who boards ship 
without a rudder and eompass and 
never knows where he may east. 

Leonardo da Vinei 


1.1 Background 

Functions / : V„ —)■ F 2 from the vector space V„ of all binary vectors of length n, to the 
finite field of two elements are known as Boolean functions. These functions are essential 
components in modem cryptography and error correction codes. As such, they have been 
the subject of intense study for the past 50 years, and much is therefore known about them. 
In contrast, much less is understood about generalized Boolean functions from the vector 
space Yn of all binary vectors of length n, to Zq, where q>2. Yet, these functions also show 
great promise of utility in future information, communications, and defense technologies. 

The goal of this research has been to increase our understanding of generalized Boolean 
functions which satisfy certain cryptographic properties. Specifically, generalized Boolean 
functions which are correlation immune or satisfy strict avalanche criteria. As our starting 
point, we use existing Boolean functions research and then attempt, where possible, to 
extend these results into the more general setting. Much of Boolean function research has a 
tendency to be highly theoretical; while some of this research inevitably will follow suit, we 
have, whenever possible, tried to supply the reader with a generous number of examples as 
well as a fair number of algorithms with which they can go about constructing the functions 
under consideration. 
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1.2 Contributions 

This dissertation makes the following eontributions to the study of generalized Boolean 
funetions: 


• We define the algebraie normal form (ANF) of a generalized Boolean funetion and 
demonstrate a method of deriving the ANF using the funetion’s truth table. 

• Given funetion parameters n and q, we provide respeetive eounts for the number of 
balaneed and symmetrie generalized Boolean funetions in n variables with output 
values in Z^. 

• We present several theorems regarding nontrivial binomial biseetions, and provide a 
eomplete list of all binomial biseetion solutions for n < 51. 

• We extend the eoneept of eorrelation immunity from the Boolean ease to the gener¬ 
alized setting. 

• We provide an algorithm with whieh to eonstruet a large elass of eorrelation immune 
(order 1) generalized Boolean functions. 

• Using linear orthogonal arrays we demonstrate a method of creating higher order 
correlation immune generalized Boolean functions. 

• We extend and prove a generalized version of the Siegenthaler correlation immune 
Boolean function construction method, whereby two correlation immune (order t) 
generalized Boolean functions in n variables are combined to create a correlation 
immune (order t) generalized Boolean function in n -|- 1 variables. 

• We establish necessary and sufficient conditions which ensure that both a general¬ 
ized Boolean function as well as its Boolean function components are all correlation 
immune. 

• We investigate correlation immune and rotation symmetric generalized Boolean 
functions and introduce a construction method for such functions. 

• We establish an upper bound for the number of rotation symmetric (RotS) general¬ 
ized Boolean functions, and prove that there are no balanced and RotS generalized 
Boolean functions in p variables with output values in Zq, for odd prime p and q>2. 

• Using a graph-theoretic and probabilistic frame of reference, we establish several, 
strict avalanche criteria including the notion of a uniform avalanche criterion (UAC). 

• We prove that generalized Boolean functions which satisfy the uniform avalanche 
criterion are also order 1 correlation immune. 
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• We prove that generalized Boolean funetions whieh satisfy the uniform avalanehe 
eriterion have Boolean funetion eomponents whieh are all both SAC and order 1 
eorrelation immune. 

• We investigate linear struetures and direetional derivatives of UAC-eompliant gener¬ 
alized Boolean funetion and introduee the eoneept of a generalized Boolean funetion 
unit-veetor gradient. 

• We introduee the Walsh-Hadamard transform of generalized Boolean funetions, and 
define perfeet nonlinear generalized Boolean funetions and generalized bent Boolean 
funetions. 

• We provide a eonstruetion of generalized bent Boolean funetions in n variables with 
output values in Zg. 

• We further establish neeessary eonditions for generalized bent Boolean funetions. 


1.3 Dissertation Organization 

This dissertation is divided into six ehapters and three appendiees. In addition to the in- 
troduetory ehapter in whieh you now find yourself, the remaining ehapters are laid out 
as follows. Chapter 2 eontains definitions and preliminary generalized Boolean funetion 
material. This is followed by Chapters 3-5, whieh eontain the bulk of the dissertation re- 
seareh, ineluding all major results. Chapter 3 deals with eorrelation immune generalized 
Boolean funetions, whereas Chapter 4 taekles striet avalanehe eriteria. Chapter 5 eontains 
a brief overview of the generalized bent property along with a seleetion of results taken 
from the this author’s previously published papers on this topie. Chapter 6 ineludes the 
dissertation eonelusion along with a short diseussion of follow-on researeh possibilities. 
This is followed by three appendiees, the two first of whieh inelude a list of nontrivial bi¬ 
nomial biseetions along with the Julia parallel eomputer seareh program whieh generated 
the results. The final appendix ineludes a list of a few linear orthogonal arrays suitable for 
eonstruetion of higher order eorrelation immune generalized Boolean funetions. 
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CHAPTER 2: 

Basic Properties of Generalized Boolean Functions 


Sic Parvis Magna 

Sir Francis Drake ^ 

In this chapter we begin by covering some basic definitions and properties which we will 
make use of throughout this dissertation. 

2.1 Preliminaries 

In a similar manner to what was done in [44], we will throughout this dissertation use the 
following definitions: We denote the set of integers, real numbers and complex numbers 
by Z, M and C, respectively. We further denote the ring of integers modulo q by Z^. The 
vector space sometimes alternatively referred to as F^, is the space of all n-tuples x = 
{xm ■■ - tXi) of elements from F 2 with the standard operations. By “+” we denote addition 
over Z, M and C, whereas “©” denotes addition over V„ for all n > 1. Addition modulo q is 
denoted by “+” and it is understood from the context. If x = (v:„,..., JCi) and y = (y„,... ,yi) 
are in V„, we define the scalar (or inner) product by x ■ y = v:„y„ © • • • © X 2 y 2 © x\y\. The 
cardinality of the set S is denoted by |S|, and the conjugate of a bit b will be denoted by 
b. If z = a + G C, then |z| = y/a^ + b^ denotes the absolute value of z, and z = a —bi 
denotes the complex conjugate of z, where = —1, and G M. The concatenation of 
two vectors x and y is denoted x||y. Additionally, as in [11], we use the Landau symbol 
with its usual meaning, that is, F — ^{G) means |F(v:)| < c|G(.r)| holds for some positive 
constant c, and .r sufficiently large. 

Definition 2.1. A function from V„ to F 2 is called a Boolean function. The algebra of all 
Boolean functions on V„ is denoted by [11]. 

Definition 2.2. We call a function from V„ to Z^, where ^ is a positive integer such that q > 
2, a generalized Boolean function on n variables [42]. We denote the set of such functions 
by ^If ^ = 2, we obtain the previously defined classical Boolean functions [44]. 
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For a given n, there are a total of 2” possible Boolean input veetors, each of which can 
in turn be mapped to q possible outputs. Therefore the total number of Boolean functions 
is \^n\ = 2^”, whereas the total number of generalized Boolean functions is . 

Given the fact that these formulae are double-exponential, the number of possible functions 
quickly becomes astronomical even for input vectors of relatively modest dimensions. For 
example, given input vectors of size n = l and output values in Z 5 , the number of gener¬ 
alized Boolean functions is ~ 2.94 x 10^^. By comparison, the number of atoms in 

the observable universe is estimated to be between 10^* and 10^^. 

As was done in [44], for any function / G and 2^^^ < ^ < 2*, we associate a unique 
sequence of Boolean functions ai G (/ = 0,1,..., k — 1) such that 

/(x) = ao(x)-l-2ai(x) -I -h2*“^ayt-i(x), forallxGV„. (2.1) 

Definition 2.3. A generalized Boolean function /(x) in n variables is a map from Y„ to Zq. 
In a manner similar to that in [11], the ^-ary sequence defined by (/(vo),/(vi),... ,/(v 2 «-i)), 
where vq = (0 ,... ,0,0), vi = (0,... ,0,1),... ,V 2 «-i == (1,..., 1,1) is denoted by / and is 
called the truth table of /(x). 


Definition 2.4. The Hamming weight of a vector x = x\ - ■ -Xn (often written as x = 
{xi,...,Xn)), denoted by wt(x), is the number of nonzero xi, where xi G Zq [26]. The 
Hamming weight of a function fix) is the Hamming weight of its truth table [11]. 


Definition 2.5. Given two ^-ary vectors, x and y of length n, the Hamming distance be¬ 
tween the two vectors, denoted J(x,y), is the number of indices where their values differ. 
Similarly, the Hamming distance between two n-variable functions /(x) and g(x), denoted 
d (/, g) is defined as the number of indices for which their truth tables differ. 


6 



2.2 The Algebraic Normal Form for Generalized Boolean 
Functions 


Definition 2.6. [11] Let / G be a Boolean function and let i = (zi,...,z„) and 

X* := Xj '^2 '"^n- The Boolean function / is expressed in Algebraic Normal Form in the 
following manner: 


fix) = 0cz-x‘, 

1=0 

where c/ G F 2 and i G V„, is the lexicographically ordered binary expansion of index z. 


Example 2.7. Consider the Boolean function /(x) = x\ ©;c2^3 ©^4. Using the above defi¬ 
nition it can be represented in ANF as: 


f(-v\ — 0 . vOrOrOr® 1 . 1 . vOvl rU® ' 


1 ■ x^^x^x^xl i 


)0-x\x2xlxl. 


Building upon this, we now define the Algebraic Normal Form for generalized Boolean 
functions as follows: 

Definition 2.8. Let / G be a generalized Boolean function such that /(x) = ao(x) + 

2ai(x) H-|-2*~^ayt_i(x), where 2^^^ < <? < 2*. Let j = ( 71 ,.. .,j„) andx-i :=x{^x-!^ ■ ■ -xf. 

We then define the Algebraic Normal Form of / in the following manner: 

k-\ /2”-l 

/(x) = E 2 M 0 Cijxi 

i=0 V 7=0 

where Cj G F 2 , j G V„ is the lexicographically ordered binary expansion of index j, and the 
summation is carried out modulo 2 *. 

It is relatively straightforward to recognize the existence and uniqueness of the ANF repre¬ 
sentation of generalized Boolean functions by considering the following: First, each vector. 
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V G V„, utilized in the ANF is unique and establishes a surjective map between V„ and SSn- 
Secondly, since |V„| = 2", the power set of V„ has cardinality |,^(V„)| = iF — \^n\- Fi¬ 
nally, the binary expansion of any integer q is unique. Given the ANF of a generalized 
Boolean function /, we can create the truth table of the function by simply using the ANF 
and evaluating, in turn, each of the 2” lexicographically ordered input vectors. In order to 
proceed in the opposite direction and transform a truth table into an ANF expression, we 
first perform a binary expansion of each ^-ary entry in the truth table, thereby creating mul¬ 
tiple binary truth tables, one for each respective 2* component of /, where 0 <k < log 2 q ■ 
Subsequently we perform the divide-and-conquer butterfly algorithm (see the description of 
Carlet in [7]) on each of the constituent binary truth tables and produce the corresponding 
2*-associated ANF components of the generalized Boolean function. 


Example 2.9. Suppose we want to find the ANF for a function,/ G with the truth 

table / = 02032012. We begin by finding the binary truth tables uq and a\ associated with 
2 ® and 2^ respectively by performing a binary expansion of /: 


/ 

flO 

fll 

0 

0 

0 

2 

0 

1 

0 

0 

0 

3 

1 

1 

2 

0 

1 

0 

0 

0 

1 

1 

0 

2 

0 

1 


Having done so, we then apply the following algorithm to each of the binary truth tables. 
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Algorithm 1 TT to ANF (Butterfly algorithm) - see [7] 

1 : Write the truth-table of /, in which the binary vectors of length n are in lexicographic 
order. 

2 : Let /o be the restriction of / to x {0} and /i the restriction of / to F^^^ x {!}• 
The truth-table of /o (resp. /i) corresponds to the upper (resp. lower) half of the table 
of /; replace the values of /i by those of /o © /i 
3: Apply recursively step 2, separately to the functions now obtained in the places of /o 
and/i. 

4; The algorithm terminates when it arrives at functions on one variable each. At this 
point the global table gives the values of the ANF of /. 


For uq this yields the following. 


flo 






ANF 

0 


0 


0 

fo 

0 

0 

/o 

0 

/o 

0 

A 

0 

0 


0 

A 

0 

fo 

0 

1 


1 


1 

A 

1 

0 


0 


0 

fo 

0 

0 

A 

0 

fo 

0 

A 

0 

1 


1 

A 

1 

fo 

1 

0 


1 


1 

A 

0 


Reading off the ANF column we recover the 2®-associated ANF-component of /: 


ao(x) = 0 ■ X^X 2 xl © 0 ■ xlx 2 X 2 © 0 ■ X 1 X 2 X 2 © 1 ■ .r 1 .V 2 .r 3 
© 0 ■ .riV 2 .r 3 © 0 ■ .r}v 2 .r 3 © 1 ■ .riV 2 .r 3 © 0 ■ .r}v 2 .r 3 . 


Proceeding in a similar manner for ai yields: 
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ai 






ANF 

0 


0 


0 

/o 

0 

1 

/o 

1 

/o 

1 

/i 

1 

0 


0 

/i 

0 

/o 

0 

1 


1 


0 

/i 

0 

1 


1 


1 

/o 

1 

0 

/i 

1 

/o 

1 

fi 

0 

0 


0 

/i 

1 

fo 

1 

1 


0 


1 

/i 

0 


ai (x) = 0 ■ x^X 2 xl © 1 ■ x\x 2 X^ © 0 ■ XiX^x^ © 0 ■ ^{^ 2-^3 


© 1 ■ © 0 ■ ^i^2-^3 © 1 ■ i-«2-^3 © 0 ■ ^i^2-^3 ■ 


Finally, assembling both ANF components we recover the ANF for our generalized 
Boolean function, 

/(x) = 0 ■ VJV 2 V 3 © 0 ■ x\x 2 X 2 © 0 ■ V 3 V 2 V 3 © 1 ■ ^{^ 2^3 © 0 ■ X^X 2 X 2 

© 0 ■ ^{^2^3 © 1 ■ X ^ X^xl © 0 ■ ^{^2^3 + 2(0 ■ V3V2V3 © 1 ■ ^{^2^3 © 0 ■ 

© 0 ■ ^{^2^3 © 1 ■ V1V2V3 © 0 ■ ^{^2^3 © 1 ■ Xix \ x \ © 0 ■ ^{^2^3). 


The complexity of computing the truth table from the ANF of a Boolean function / G ef^„, 
is (^(n2"). The complexity of the butterfly algorithm is also (^(n2”) [7]. Therefore, the 
complexity of computing the ANF from the truth table of a generalized Boolean function 
/ e (or vice versa), as described above, is i^{\\og 2 q]n 2 "). 

In a similar manner as was done for Boolean functions in [11], we define the algebraic 
degree and homogeneity of generalized Boolean function as follows: 

Definition 2.10. Given a generalized Boolean function / G we define the algebraic 
degree d°f to be the number of variables in the highest order monomial with nonzero 
coefficients in the ANF of /. 

Note that defining the degree of general Boolean functions in this manner is possible due 
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to the existence and uniqueness of the ANF, which we previously demonstrated. 

Definition 2.11. A generalized Boolean function / G ^is said to be homogeneous if 
all of the terms in its ANF are of the same degree. 

Seen from the ANF perspective, the simplest Boolean functions are those that are linear or 
affine (linear function plus a constant). These functions have d°f = 1 and are of the form: 

/(x) = WiXi © W2X2 © • • • © WnXn © Wq. 

Letting w = (wi,... ,w„),x = (xi,... ,x„) G V„, wq G F 2 and denoting w-x, the usual inner 
product, we can write: w ■ x = w\xi © W 2 X 2 © • • • © and /(x) = w ■ x © wq. If wq = 0 
then / is linear, otherwise / is affine. 

Definition 2.12. We denote the sets of all n-variable linear and ajfine functions as and 
£^n, respectively. 

Affine functions are important both in coding theory and cryptography. In coding theory 
affine functions play a key role in Reed-Muller codes of order 1, whereas in cryptogra¬ 
phy we strive to avoid using affine functions and select instead nonlinear functions whose 
(cryptographic) behavior is as far as possible from those contained in [V]. 

2.3 Fourier Transforms and Generalized Boolean Func¬ 
tions 

Definition 2.13. [44] We let ^ ^ be the complex (^-primitive root of unity. To each 

generalized Boolean function /(x) we associate its character form, sometimes also referred 
to as the sign function in characteristic 2, which is defined as: 

/(x) = 

Notice that for q = 2, this reduces to the familiar Boolean function character form: 

/(x) = (-l)/W. 
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Definition 2.14. As is customary, given a Boolean function /(x), the derivative of /(x) 
with respect to a vector a, denoted by Dstf{x), is the Boolean function defined by: 


Dsifix) = /(x©a) © fix), for all x G V„. 

Observe that if /(x) = /(x©a), then Da/(x) = 0 whereas if /(x) 7 ^ /(x©a), then 

Z)a/(x) = 1. Inasmuch, Da/(x) counts the number of input vectors which result in 

xeV„ 

changes to the output values when a change of direction of a is applied, and can therefore 
be viewed as a directional derivative. 

Definition 2.15. Given a generalized Boolean function fix), we define the derivative D^f 
of / with respect to a vector a to be the generalized Boolean function Da/(x) by: 

Da/(x) = fix © a) - fix) for all x G V„. 

Definition 2.16. Given a vector a G V„, we say a is a linear structure of a generalized 
Boolean function /(x) G SS\, if the derivative of /(x) with respect to a remains constant, 
that is, if Da/(x) = c G Z^, for all x G V„. 

Definition 2.17. [44] The (normalized) generalized Walsh-Hadamard transform of / G 
at any point u G V„ is the complex valued function 

jefiu)=2~"2 £ 
xeV„ 

If ^ = 2, we obtain the (normalized) Walsh-Hadamard transform of / G ddn, which will be 
denoted hyWf [44]. 

Definition 2.18. [44] The sum 

xeV„ 

is the crosscorrelation of / and g at z. The autocorrelation of / G at u G V„ is ^fjiu) 
above, which we denote by '^/(u). 
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2.4 Balance and Symmetry 

A Boolean function / G ^SS‘1^ is balanced if its output values are uniformly distributed. 
In order for a generalized Boolean function to be balanced, we must have q = 2^ for f < 
n, since the function’s q possible output values must be evenly distributed among its 2 " 
outputs. 

Recall that a Boolean function / G is balanced if and only if the Hamming weight of 
its truth table is exactly 2 ”^^ [ 11 ]. 

Lemma 2.19. If a generalized Boolean function f(x) G is balanced, then its Ham¬ 
ming weight equals 2"“^ = 2" — 2”“^. Notice that if£ — 1, this reduces to the Boolean 
function case where the weight of f equals 2"~^ 

Considering Walsh-Hadamard transforms for a moment, we recall from [11] that a Boolean 
function / is balanced if and only if the Walsh-Hadamard transform. 


W/(0) = 0. 

In the generalized Boolean function case, we can say the following: 

Lemma 2.20. If a generalized Boolean function f is balanced, then the generalized Walsh- 
Hadamard transform of f is. 


2^-1 _ 1 
Hffd) = £ = 2”"^V—p = 0. 

The reader will notice that unlike in the classical Boolean functions case, the preceding 
criteria for generalized Boolean functions are not biconditional. That is, if a generalized 
Boolean function is balanced, then the criteria hold. However, for f > 1, the fact that a gen¬ 
eralized function satisfies the Hamming weight or Walsh-Hadamard transform conditions 
outlined above are necessary, but not sufficient conditions for the function to be balanced. 
In fact, there are many generalized Boolean functions that satisfy these criteria, yet fail to 
be balanced. 

£ fc-i 

Theorem 2.21. A generalized Boolean function f G such that f{x) = £ 2^aj{x)for 

j=o 
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X G V„ is balanced if and only if all of its Boolean functions aj are balanced, and for each 
j and h such that 0 < j,h <k— \ and j f h, J(aj, a/j) = 2”^^ 

ji 

Proof (^) Let / G be a balanced generalized Boolean function. Consider the 

set of 2^ binary vectors {cf )2 which correspond to the unique output values cj G /(V„), 
0 < J< 2 ^- 1 . This set equals ¥ 2 ^, which is balanced with respect to the number of O’s 
and I’s it contains. Moreover, for each column \j and V/, in ¥ 2 ^ d{\j,\h) = Since 
each output value of / occurs with frequency 2 ”“^, this means that each function aj con¬ 
tains n — £ copies of ¥ 2 ^ thus there are 2”“^ ■ = 2"^^ O’s and 2”^^ I’s and for all 

Boolean functions, aj and a^, where j 7 ^ h, d{aj,ah) = 2"^^ 

(«^) Let B = {ao,ai,... be a collection of k balanced Boolean functions in n vari¬ 

ables, such that for all j and h such that 0 < j,h < k — I and j f h, d{aj,ah) = 2 "^^ 
Let / be a generalized Boolean function / G constructed using B such that /(x) = 

Y!jZo2^aj{x), where x G ¥„. Consider the composite truth table A =[ao,ai, ... ,ayt-i]. A 
consists of 2” binary row vectors of length k. Each Boolean function is balanced and for 
any two distinct column vectors (Boolean functions) in A, the pairwise distance between 
them is 2""^ Thus, it must be the case that all vectors in ¥ 2 ^ appear in A with frequency 
2"“^. Considering the fact that /(x) = '£jj2Q2jaj{x) and each value cj G /(¥„) is also a 
binary row vector in A, the result has been demonstrated. ■ 


We can obtain a count for the number of balanced generalized Boolean functions by again 
considering the composite truth table A of the set of Boolean functions / G . Let 
bfSSSy^ represent the set of all balanced generalized Boolean functions. There are ( 2 «-i) 

ways in which to select the 2"^^ I’s in oq. For these I’s, half of the corresponding values 

( 2 «— 1 \ 
2n-2) 

possible ways to select these 2""^ L 5 . Additionally, for the values of ai corresponding the 
remaining O’s in oq, half must be I’s and half must be O’s. One can certainly proceed in 
a similar fashion to get the count, or alternatively, observe that to get a balanced function, 
one can choose 2 "“^ input vectors out of 2 ” to assign (via /) the value 0 ; next choose 2 ”“^ 
input vectors out of 2" — 2”“^ to assign the value 1, etc. That is. 





/2n-e\ / 2 " 

J y^n—i '2/1—t 
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the multinomial coefficient with equal parts, each of size 2 " ^. 

Definition 2.22. A generalized Boolean function / G ^ is called symmetric if it remains 
invariant under the full symmetric group Sn- 

The task of constructing symmetric generalized Boolean functions / G ^involves par¬ 
titioning V„ into q subsets, each of which contains all input vectors of a specific Hamming 
weight. These q subsets are subsequently mapped to unique values from The number 
of vectors in ¥„ with a given Hamming weight h is (^), thus the cardinality of the subsets 
within the partition corresponds to the set of binomial coefficients. 

In order to establish exactly how many such functions exist, we proceed as follows: First, 
let represent the total number of symmetric generalized Boolean functions for 

given n and q. Stirling numbers of the second kind, denoted count the number 

of ways we can partition the set of n -t -1 possible weights of binary input vectors of length 
n into q nonempty sets. These q nonempty sets must subsequently be mapped to the q 
possible output values, which can be arranged in q\ possible ways. Therefore, 



'yk 

Theorem 2.23. A generalized Boolean function f G such that f(x) = ao(x) + 

2ai{x) + ■ ■ ■ + is symmetric if and only if each of the Boolean functions 

ai(x),i E { 0 ,1 ,..., k — 1 }, is symmetric. 

'yk 

Proof Let / G , be a generalized Boolean function such that 

/(x) =ao(x)-h2ai(x)H-h2*~^afc_i(x), 

at G ^n- We prove the claim using a counting argument. If a generalized Boolean function 
is symmetric, its output remains constant for specific weights of the input x. There 
are a total of n -|- 1 possible weights for x. To each of these weights, we have q possible 
output values. Thus there are symmetric functions in If ^ = 2*, there are 

2*(”+i) symmetric functions. Since /(x) = ao(x) -l-2ai(x) H- |-2^^^a/t-i(x), we also see 
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that that there are 2"+^ possible symmetrie Boolean funetions for eaeh a,- and a total of 
2 ("+i)^ possibilities. These two eounts agree and our elaim is thus proved. ■ 

The question of when a Boolean funetion / G SSn is both symmetrie and balaneed is inter¬ 
esting. Sueh funetions ean only exist in the eases where one is able to partition (biseet) the 
binomial eoeffieients into two subsets each of sum 2”^^ Although not the main topic of 
this dissertation, we provide a few remarks regarding the subject here due to the disserta¬ 
tion author’s involvement in this research [27]. 


Letting Y!i=o^i{f) = where 5/ G {—1,1}, we can represent [^,...,5„] as 
a solution to the bisection problem. By the binomial theorem, L!(~l)”(") = 
(1 — 1)" = 0, hence ±[1, —1,1,—l,...]is always a solution. Moreover, observe 
that if n is odd then [^,..., ■■■: “^o] with 5,- G { — 1,1} ar¬ 

bitrary chosen, produces 2*^”+^^/^ solutions. These are referred to as trivial 
solution. Additional, nontrivial bisections occur sporadically. Letting repre¬ 
sent the set of bisection solutions for a given n, we have the following theorem: 

Theorem 2.24. [27] If p is a prime number, then Jp-i = 2. 


Proof. The statement is obviously true if p = 2, so we may assume that p is 
an odd prime. We let n = p — 1 and observe that n = — I (mod p). We want 
to show that (p = (—1)-^ (mod p), for every y G (0,1,... ,n}. This is clearly 
true for j = 0. Since, every y G has an inverse modulo p, we have 

for 7 G 



n{n-l)---{n-i+l) 
j! 

(-l)(-2 )---(-l-j + l) 


(—1 )-^ (mod p). 


Hence, if [5o,..., 5„] a solution of the bisection problem is 

(modp), 

7=0 Vi/ 7=0 
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but the number 


A:= ^{—ly 5j = 0 (mod;?) 

7=0 

is an odd number (n + 1 = ;? is an odd prime) satisfying 

|A|< f |(-1K5,|= t l=«+l=p. (2.2) 

j-0 j-0 

Because A cannot be zero, the only possible values of A are p or —p. Then the 
equality |A| = p = n + 1 in (2.2), forces 5j = ±(—1)“', for all j. Therefore, we 
have only the two trivial solutions, that is, = 2 [27]. ■ 

Using the Hamming high performance computer (HPC) at the Naval Postgraduate School, 
and a parallel computer program written in Julia, (see appendix A2), we were able to ex¬ 
haustively search for nontrivial binomial bisections for n < 51 [27]. We verified the com¬ 
putational data previously provided by [10] and [21] for n < 31, and obtained additional 
results for 37 < n < 51. These results have been included in Appendix A. 1 and the number 
of nontrivial solutions appear as A200147 in the Online Encyclopedia of Integer Sequences. 

Looking at the bisection solution data in appendix A. 1 we observed some additional pat¬ 
terns. Using some identities, which were first pointed out by Jefferies [21], along with 
solutions to diophantine equations, we were able to produce some infinite classes of inte¬ 
gers admitting nontrivial bisections. We present the following from our research without 
proof. Additional discourse on this topic along with the proof of the following theorem can 
be found in the paper entitled Bisecting binomial coefficients which recently appeared in 
the journal Discrete Applied Mathematics [27]. 


Theorem 2.25. [27] The following hold: 

1. Ifn = k^ — 2, k>A even, then Jn > 10, > 2^ -|- 2^ ^ {tight). 

2. Ifk = 0, 1 (mod 3) and n = U<:+i+^ 2 F 4 ^ 6 ^ ^ 

3. Let n = Ak^ A- l6kA- 13,k > 0. Then, there are at least 2("+0/2-3 

nontrivial bisections for the binomial coefficients | (”) | > so, 

•r ^ ^+1 ^ «-l 

Jn ^ 2 2 2 2 , 
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Based on related search data, we make the following conjecture regarding the impossibility 
of further sub-dividing the binomial coefficients into equal parts. 

Conjecture 2.26. There are no 2^-sections of the binomial coefficients for k> 1. 

Should a proof of this conjecture emerge, it would mean that symmetric and balanced 
generalized Boolean functions do not exist. 
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CHAPTER 3: 

Correlation Immune Generalized Boolean Functions 


The Devil is in the details, but so is 
salvation. 

Hyman G. Riekover **** 


3.1 Introduction 

Siegenthaler first described the correlation attack in 1984 [40]. This type of known plain¬ 
text attack provides cryptanalysts with a method of attacking stream ciphers which are 
generated using multiple Linear feedback shift registers (LFSRs) and a nonlinear combiner 
which is plagued by a poorly chosen Boolean function. Correlation attacks involve careful 
examination of input vectors and their associated functional outputs in order to determine 
whether the value of a single bit, or the values of a subsets of bits in the input vector excert 
greater influence over the output than others. If this is the case, attackers can use this in¬ 
formation to surmize something about the structure of the underlying Boolean function as 
well as the outputs of the LFSRs. Cusick and Stanica provide an example of such a poorly 
chosen function in [11, p. 58] that we, for illustrative purposes, provide here. 

Example 3.1. Consider the following 3-variable Boolean function /(x) = xiX 2 (BxiX 3 © 
X 2 X 3 and its associated truth table: 


Input 

000 

001 

010 

Oil 

100 

101 

110 

111 

Output 

0 

0 

0 

1 

0 

1 

1 

1 


To determine whether or not the value of a single input bit exerts an undue influence over 
the output, we use the truth table and compute conditional probabilities for each bit of the 
input vectors, x. For example, the probability that the first bit xi is 0 given the fact that the 
function’s output equals 0 is 


Fr(.ri=0|/(x)=0) 


Pr{xi = 0n/(x) = 0) 

M/(x) = o) 


3/8 

4/8 


= 3/4. 
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Proceeding similarly, we calculate the conditional probabilities for each of the remaining 
possibilities and obtain the results listed in table 3.1. 


Table 3.1: Conditional probability table for a Boolean function 


Conditional Prob. Given /(x) = 0 

Conditional Prob. Given /(x) = 1 

Pr(xi =0|/(x)=0) = 3/4 
Pr(xi = l|/(x)=0) = l/4 

Pr(xi=0|/(x) = l) = l/4 
Pr(xi = l|/(x) = l) = 3/4 

Pr(x 2 = 0|/(x)=0) = 3/4 
Pr(x 2 = l|/(x) = 0) = l/4 

Pr(x 2 = 0|/(x) = l) = l/4 
Pr(x 2 = l|/(x) = l) = 3/4 

Pr(x 3 = 0|/(x) = 0) = 3/4 
Pr(x 3 = l|/(x)=0) = l/4 

Pr(x 3 = 0|/(x) = l) = l/4 
Pr(x 3 = l|/(x) = l) = 3/4 


Examining the table we see that if the function’s output is zero, the probabilities that each 
respective input bit, xi,X 2 , and a:3, equal zero are all .75. From a cryptographic perspective 
this is highly undesirable! Armed with this information and known plaintext, an adversary 
readily obtains information about the outputs of the LFSRs, which in turn can be used to 
launch an attack on each FFSR, thereupon recovering the keystream of the system. 

To avoid this unfortunate situation, we need to be more circumspect in how we go about 
choosing our Boolean function. To be in a position to select more wisely we initially adopt 
a "black box" view of the problem and consider input vectors and the output values to which 
they are mapped. We partition the set of input vectors V„ into two sets Vq and Vi, such that 
Vx G Vq, /(x) = 0 and Vx G Vi, /(x) = 1. Clearly, in order to not give away any information 
to a would-be-attacker, for i = 1,2,3, the conditional probabilities for all x G Vq, Pr{xi = 
0|/(x) = 0) = Pr{xi = l|/(x) = 0) = 1/2. Consequently, we recognize that |Vb| > 1- If 
this were not the case, the output value 0 would appear only once in the function’s truth 
table and it would be associated with a single input vector x. This in turn would result in the 
probability Pr{xi = 0|/(x) = 0), for each respective index, i, 1 < / < 3, being equal to either 
1 or 0. It is, however, possible for |Vo| to equal 2 and ensure that the necessary conditional 
probabilities hold. Partitioning V„ using complementary input vectors we can construct 
a Boolean function / : V„ —)■ F2 with the desired conditional probability properties we 
seek. Partition V„ into two subsets. So, Si, such that Vx G Sy, x G Sj and /(x) = /(x) = j. 


20 




where 7 = 0,1. To see that this will produee the desired result, eonsider the following: For 
eaeh pair of veetors, x, x G S; and eaeh bit Xi, where z = 1,2 ■ ■ ■, n, there is one veetor where 
Xi = 0 and one veetor where Xi = \. This means that if Sj eontains m pairs of eomplementary 
veetors, then for eaeh z, there are m veetors where Xi = 0 and m veetors where Xi= 1 , whieh 
in turn yields 


Pr{xi = 0 |/(x) = 0 ) = Pr{xi = l|/(x) = 0 ) 


m/\\n\ 


z«/2" _ 1 
2zw/2« “ 2' 


Equipped with this new-found insight, we tailor the following truth table for our new 
Boolean funetion: 


Input 

000 

001 

010 

oil 

100 

101 

110 

111 

Output 

1 

1 

1 

0 

0 

1 

1 

1 


Converting the truth table into ANF yields the Boolean funetion /(x) = 1 (BX 2 X 3 ©;ci © 
X 1 X 3 (BX 1 X 2 . We subsequently eompute the eonditional probabilities given in Table 3.2, and 
verify that our analysis did in faet render a Boolean funetion with the desired properties. 

Table 3.2: Conditional probability table for an order 1 correlation immune Boolean function 


Conditional Prob. Given /(x) = 0 

Conditional Prob. Given /(x) = 1 

PK^i=0|/(x) = 0) = l/2 
PK^i = l|/(x) = 0) = l/2 

Pr(xi=0|/(x) = l) = l/2 
Pr{xi = l|/(x) = 1) = 1/2 

PK^2 = 0|/(x) = 0) = 1/2 
Pr(x 2 = l|/(x) = 0) = l/2 

Pr(x 2 = 0|/(x) = l) = l/2 
Pr(x 2 = l|/(x) = l) = l/2 

PK^3=0|/(x) = 0) = 1/2 
PK^3 = 1|/(x) = 0) = 1/2 

PK^3=0|/(x) = 1) = 1/2 
Pr{x 3 = l|/(x) = 1) = 1/2 


The funetion whieh we eonstrueted above is referred to as a eorrelation immune (order 1) 
funetion. Order 1 refers to the faet that it only satisfies the eonditional probability require¬ 
ments for a single bit. It is of eourse possible to eonsider larger subsets of bits in the input 
veetors of a funetion. In the above ease, / fails in multiple instanees when we eonsider 
values assignments of the ( 2 ) two bit subsets. For example, 

Pr{xi = 0 ,X 3 = 0|/(x) = 1 ) = ^ = 1/3. 
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Correlation attacks take advantage of differences in the conditional probabilities between 
subsets of input vector bits and the associated outputs of a function. Seen from this "black 
box" perspective, it is of little consequence whether the function’s output is binary or a 
subset of values from some other ring {q> 2). If a cryptographer hopes to render a 
function immune to this adversarial technique, he must ensure that balanced conditional 
probabilities exist for all values of the image of /. Thus far, we have considered output 
values c G F2, but we could have just as well considered the output values c G Z^. As 
such, there is a very natural extension of the concept of correlation immunity into the do¬ 
main of generalized Boolean functions. With this in mind, we extend Cusick and Stanica’s 
definition of correlation immunity from [11, p. 55]. 

Definition 3.2. A generalized Boolean function / G is said to be correlation immune 
of order t, with notation Cl{t), 1 < t < n, if for any fixed subset of t variables the probability 
that, given the value of /(x), the t variables have any fixed set of values, is always 2^\ no 
matter what the choice of the fixed set of t values is. 


When exploring the notion of correlation immunity for generalized Boolean functions, a 
fitting place to begin is perhaps by contemplating just how many output values, c G Z^, a 
correlation immune generalized Boolean function could possibly achieve. 

Theorem 3.3. Iff G is a Cl (order 1 ) generalized Boolean function, then the number 
of occurrences of each output value c G Z^ that f achieves is even. 


Proof Let / G be a Cl (order 1) generalized Boolean function. Let x = (x„,... ,.ri) G 
V„. Suppose S instances of a specific output value, c G Z^, occur in the truth table of /. Let 
Vc C V„, represent the set of all vectors x such that /(x) = c. For each z = 1,2,..., n, let 
^(o,i) K be the subset of vectors such Xf = 0 and /(x) = c and let Vc be the subset 

of vectors such that xi = 1 and /(x) = c. Then, since / is CI(1), for each i = 1,2,..., zz we 
have 


Pr{xi = 0|/(x) = c) 


Pr(xi = On/(x) = c) 
^^(/(x) = c) 


1 ^ 0.01 

2 " 


2 « 


1 ^ 0.01 

5 



l%ol = 


s 

2 
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and 


Pr{xi = l|/(x) =c) 


Pr{xi= ln/(x) =c) 

^^(/(x) = c) 


2 " 


M 

2 " 


s 



1 ^ 1,01 = 


s 

2 ' 


For each i, xi is either 0 or 1, so y(o,) and are mutually exclusive. Moreover, 1^(0,!) I = 
|y(iI for all i, therefore 2 ■ |y(o,i) 1 = 2- |y(i,;) | = S, and the result is thus proven. ■ 

Corollary 3.4. Let f G be a correlation immune (order 1 ) generalized Boolean func¬ 
tion and let f{Yn) be the image of f. Then |/(V„)| < 2”^^ 


Proof. The result is an immediate consequence of Theorem 3.3. Let / G be a C/(l) 
generalized Boolean function. Since the number of occurrences of each distinct output 

value c G /(V„) must be divisible by 2, the maximum number of output values is therefore 

|V«I _ 2^ _1 H 

2 “ 2 “ ^ " 

Remark 3.5. We have already demonstrated how one can create a C/(l) generalized 
Boolean function / G by ensuring that /(x) = /(x), for all x G V„. By assigning 

a distinct value, c G for each vector pair x, x we achieve the above stated upper bound. 


3.2 Correlation Immune Constructions 

There are numerous ways in which to construct correlation immune (order 1) Boolean 
functions. In addition to the so-called “folklore” construction, that we have touched upon, 
a method which we refer to as the “complementation construction” works well. In this 
case we create correlation immune (order 1) Boolean functions / G ddn using the following 
algorithm: 


Algorithm 2 C/(l) Complementation Construction for Boolean Functions 

1: Write the truth table of /, in which the binary vectors of length n are in lexicographic 
order. 

2 : Label the first 2"^^ entries of the truth table with 2"”^ and 2”'^ in any order 
desired. 

3: Label the remaining 2"^^ entries of the truth table by copying the first 2"”^ entries of 
the truth table into the the second half of the truth table and then complement each of 
these entries. 
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Example 3.6. Consider the following truth table of a correlation immune order 1 function 
/ G ef^ 4 , which was created using the complementation algorithm. In order to highlight 
the complementation process and motivate the subsequent proof of correctness of the algo¬ 
rithm, we include the set of input vectors, V 4 , and place the two halves of the truth table 
side-by-side. 


Table 3.3: A C/(l) Boolean function / G 


V 4 

/ 

V 4 

/ 

0000 

0 

1000 

1 

0001 

0 

1001 

1 

0010 

1 

1010 

0 

0011 

0 

1011 

1 

0100 

1 

1100 

0 

0101 

1 

1101 

0 

0110 

1 

1110 

0 

0111 

0 

nil 

1 


Proof of Correctness of the C/(l) Boolean Function Complementation Construction: 

Suppose we create a Boolean function / G SSn using the preceding algorithm. To show that 
the algorithm indeed renders a correlation immune (order 1) function, we argue as follows: 
Partition the set of input vectors V„ into two sets, Vq and Vi, such that for all x G Vj, 
fix) = j, where j = 0 or j = 1. Let Vj^ ^ represent the set of sub-vectors of the n — 1 least 
significant bits of Vj. Since the second half of the truth table is a complemented copy of the 
first half, Vi. = V„_i for both / = 0 and / = 1. Now, for each column i from 1 to u — 1, 
we know that is balanced (contains an equal number of O'i’ and I'i’), therefore it must 
also be the case that each set Vi. , where 7 = 0 or 1, is also balanced with respect to the 

•'In-1 

first n—\ columns. Moreover, the algorithm required that the first half of the truth table 
was balanced, which in turn ensures that the column is also balanced in both Vq and Vi . 
Consequently, for all i from 1 to n, Pr{xi = 0|/(x) = 0) = 1/2, thus demonstrating that the 
function is correlation immune (order 1). 

The complementation algorithm allows us to create a great many CI(1) Boolean functions. 
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Unfortunately, this construction method is not well suited for building correlation immune 
(order 1) generalized Boolean functions. For this, we require a more general technique 
which partitions V„ into appropriate subsets of input vectors, which each can in turn be 
mapped to different output values of To accomplish this task we generalize the “folk¬ 
lore” construction. This method required that the function be such that for all x G V„, 
/(x) = /(x). In other words, /(x) = /(x©a), where wt(a) = n. Recall that a vector 
a G V„ is a linear structure of a function /, if the derivative of / with respect to a remains 
constant. In other words, for all CI(1) functions /, which were created using the “folklore” 
construction, a = 111...1, is a linear structure of /. There is, per se, no reason why we 
must choose this linear structure. We might just have well chosen another linear structure. 


Algorithm 3 C/(l) generalized Boolean function construction 

1: Pick a vector, a G V„, such that 0 <k <n— \ and wt(a) = n — K. 

2: For all X G V„, pair x with x' = x © a. 

3: Vectors within each of the 2"^^ pairs, agree in K positions. If K = 0, map each pair to 
any desired output value, Zq. Otherwise, for each pair of vectors, combine it with a 
corresponding pair of vectors which differ with respect to the bits found at the indices 
where O’s occur in a. 

4: Finally, map each of the 2"“^ sets of four vectors to any output value, Zq. 


Proof of Correctness of the C/(l) Generalized Boolean Function Construction: Sup¬ 
pose we create a Boolean function / G where 1 < ^ < 2"^\ using the above de¬ 

scribed algorithm. The set of input vectors V„ is a linear vector space, so for every a G V„, 
using the procedure whereby we for all x G V„, pair x with x' = x © a, uniquely parti¬ 
tions V„ into 2"^^ pairs of vectors. Let K represent the number of zeros contained in a, 
so wt(a) = n — K. Then the vectors, x and x', within each pair agree in K of the n index 
positions. If K = 0, each vector pairs can be mapped to any output value c G Z„_i. (This is 
the “folklore” construction.) If on the other hand K> 0, then there are 2'^ possible combi¬ 
nations for the bits in the K indices which correspond to where zeros occur in a. However, 
since we have partitioned V„, and each column of V„, contains an equal number of O’s 
and I’s, there must be 2"^^^'^ vector pairs which contain each of the 2'^ possibilities. This 
in turn guarantees that for every vector pair within the partition, it is always possible to 
combine two corresponding pairs of vectors which disagree with respect to each of the bits 
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found at the indices where zeros occur in a. In fact, for a given a, there are a total of 

such groupings. Once one of these groupings has been carried out, we have ensured that 
each set of four vectors contain an equal number of O’s and 1 ’s with respect to those indices. 
For the remaining indices, a contained all ones, which ensured that each of the 2”^^ vector 
pairs already contained a balance of O’s and I’s in these positions. Thus, by subsequently 
mapping each set of four vectors to an output value c G the algorithm guarantees that 
for all i from 1 to n, Fr(x, = 0|/(x) = c) = 1/2. Hence the function is correlation immune 
(order 1 ). 


Example 3.7. Suppose we wish to construct a CI(1) generalized Boolean function / G 
where 1 < ^ < 4. Rather than using the all ones vector to partition V„, we select 
instead the vector a = 1010. Letting k represent the number of zeros in a, we then have 
K = 2 with zeros occurring at index 1 and 3 (indexing from least to most significant bit). 
For each x G V 4 , we pair x with x' = x © a. Doing so yields the following partition: 


0000 0010 0100 
1010 1000 1110 


0110 

1100 


0001 

1001 


0011 

1001 


0101 

nil 


0111 

1101 


Since k = 2, there are 2^ = 4 possible two bit combinations for the bits located at index 1 
and 3. Moreover, there are 2"^^^’^ = 2 pairs of vectors which contain each of the possible 
4-bit combinations at indices 1 and 3. We now combine each pair of vectors with a corre¬ 
sponding pair which disagrees with respect to the bits at index 1 and 3. There are a total 
of (2"^^^'^!)^*^ ^ = (2!)^ = 4 possible ways this can be accomplished. Finally, we map 
each of the 2""^ = 4 sets of vectors to 4 possible output values from Z 4 . Therefore, based 
on our selection of a, there are a total of 4^ = 256 possible correlation immune (order 1) 
generalized Boolean functions which can be constructed using this algorithm. We list one 
such possible function in Table 3.4: 
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Table 3.4: A C/(l) generalized Boolean function / G 


V4 

/ 

0000 

0 

0001 

3 

0010 

2 

0011 

1 

0100 

1 

0101 

2 

0110 

3 

0111 

0 

1000 

2 

1001 

1 

1010 

0 

1011 

3 

1100 

3 

1101 

0 

1110 

1 

nil 

2 


3.3 A Higher Order Correlation Immune Construction 

The above algorithm enables us to construct a large class of order 1 correlation immune 
generalized Boolean functions. Although higher order correlation immune functions are 
less prevalent, we would none-the-less like to devise an algorithm with which we can con¬ 
struct correlation immune generalized Boolean functions of higher order. Before proceed¬ 
ing we must first introduce the following: 

Definition 3.8. [11, p. 72] An mx n array with entries from a set of s elements is called 
an orthogonal array of size m with n constraints, s levels, strength t, and index r, if any 
set of t columns of the array contain all possible row vectors exactly r times. We will 
throughout this dissertation denote such orthogonal arrays by C14(m,n,5,t). 


27 




There is a close connection between correlation immune Boolean functions and orthogonal 
arrays. Camion, et al. first corresponded on this topic in 1992 [3]. 

Theorem 3.9. Every partition P ofYn which consists ofq binary orthogonal arrays, each of 
index 1 and strength t, can be used to construct a correlation immune (order t) generalized 
Boolean function f G and every order t correlation immune generalized Boolean 

function f G generates a partition P ofYn, where P consist ofq binary orthogonal 
arrays, each of index 1 and strength t. 

Proof (^) Let P be a partition of V„ comprised of q binary orthogonal arrays Oj, 
0<j<q-l, each of index 1 and strength t. For all j and all vectors x G Oj, map 
X —)■ Cj, where each value Cj is a distinct value in This creates a generalized Boolean 
function / G By Definitions 3.8, any set of t columns of each Oj contains all 2^ 

possible row vectors once. Given the stipulated mapping, this in turn means that according 
to Definition 3.2, / is an order t correlation immune generalized Boolean function. 

(«^) Let / G be an order t correlation immune generalized Boolean function. For 
each distinct output value Cj G Z^, 0 < j < ^ — 1, partition V„ into q subsets Oj such that 
Oj = {x G Oj : /(x) = Cj}. The function / is correlation immune of order t, therefore 
according to Definition 3.2, for any fixed subset of t input vector variables, xu \ <i <n, 
the probability that, for /(x) = Cj, the t variables have any fixed set of values is Thus 
according to Def. 3.8, each Oj must be an index 1, strength t binary orthogonal array. ■ 

Consequently, although not mentioned at the time, the subsets of V„ which were created in 
the constructions of Algorithms 2 and 3 were in fact binary orthogonal arrays of index and 
strength 1. It is interesting to note that ¥„ is itself an orthogonal array of strength n. This 
is the reason why all constant functions are (order n) correlation immune. 

Lemma 3.10. Let O be an OA{m,n,2,t) binary orthogonal array. Complementing any 
column, i, \ < i < n, of Oproduces another OA(m,n,2,t) binary orthogonal array. 

Proof. Let O be an OA(m, n, 2, t) binary orthogonal array. Suppose by way of contradiction 
that we complement a column, i, I < i < n, of O and that the resultant array. O' is no longer 
an orthogonal array. If O' is not an orthogonal array, it must be the case that there exist some 
set of t columns for which one of the 2' possible binary row vectors occurs with a frequency 
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less than r. Now, O was an orthogonal array, so for all possible combinations of t columns, 
each of the 2^ possible binary row vectors in O occurred each with frequency r. The only 
changes made to O, took place in column i. Therefore, if one of the 2^ possible row vectors 
in O' occurs with a frequency less than r, it must be the case that there exist an unequal 
number of and l'^ in column i of O'. However, since column i in O' is the complement 
of column i from O, this would mean that an imbalance of O’s and I’s existed in O, which 
in turn would mean that one of the 2' possible binary row vectors of O also occurred with a 
frequency less than r. This contradicts the fact that O is an orthogonal array. We therefore 
conclude that complementing any column of an orthogonal array, C14(m,n,2,t), results in 
another orthogonal array, OA (m, n, 2, t). ■ 


Example 3.11. Consider the following 4x3 binary array, X, along with all possible com¬ 
binations of two of its columns: 


Xi X2 X3 


Xl X2 


Xi X3 


X2 X3 


0 0 0 0 

oil 0 

10 1 1 

110 1 


0 0 0 
1 0 1 
0 1 1 
1 1 0 


0 0 
1 1 
0 1 
1 0 


For every possible combination of 2 columns of X, the row vectors 00, 01, 10, and 11 all 
occur with frequency 1. Consequently, this is a tM(4,3,2,2) orthogonal array of index 
1. Moreover, according to Lemma 3.10, complementing any column of X, for example 
column number 3, produces yet another QA(4,3,2,2) orthogonal array, X'\ 

Xl X2 X“3 
0 0 1 
0 1 0 
1 0 0 
1 1 1 


There also exists a relationship between orthogonal arrays and error correcting codes [2], 
[12], [19]. This connection is due to the fact that the codewords of an error correcting code 
can be used as the rows of an orthogonal array, or conversely the rows of an orthogonal 


29 



array can be regarded as codewords of an error correcting code. For purposes which soon 
shall become clear, our construction will make use of orthogonal arrays created using linear 
error-correcting codes. Neither error-correcting codes nor orthogonal arrays are the focus 
of this dissertation. However, due to central role which these topics play in our construc¬ 
tion method of high order correlation immune generalized Boolean function, we deem it 
prudent to include a few basic definitions, lemmas, and theorems for the benefit of readers 
unfamiliar with these topics. Rather than restating and reproving these results, much of 
this intoductory material has been taken from Chapter 4 of Hedayat, Sloane, and Stufken’s 
excellent monograph on orthogonal arrays [19]. For consistency’s sake, we retain our finite 
field notation F^, where s is power of a prime, rather than adopt the authors’ notation of 
GF{s) found in the original publication. 


Definition 3 . 12 . [19, p. 65] An error correcting code C of length n, size m, 
minimum pairwise Hamming distance between distinct codewords of d, and 
which is defined over an alphabet S of size |5| = 5, is denoted {n,m,d)s. To 
any such code we associate the mxn array whose rows are the codewords of 
C. This array is an orthogonal array OA{m^n^sd) for some t. 

Definition 3 . 13 . [19, p. 63] A code C of length n is said to be linear if the 
codewords are distinct and C is a vector subspace of F", thus C has size m = 
for some non negative integer 0 < £ < n. Additionally, the minimum distance 
d for a linear code is equal to the minimal Hamming weight of any nonzero 
codeword. 

Definition 3 . 14 . [19, p. 40] An orthogonal array is simple if the rows of the 
array are distinct. 

Definition 3 . 15 . [19, p. 40] Let 5 be a prime power. An orthogonal array 
(M(m, n, 5 , t) with levels from F^ is said to be linear if it is simple and if, when 
considered as n-tuples from F^, its m rows form a vector space over F^. 

Lemma 3 . 16 . [19, p. 65] The orthogonal array associated with a code is 
linear if and only if the code is linear. 
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Proof. This follows immediately from the preceding definitions of linearity. 


A linear (m,n)-code can be concisely described using anmx n generator ma¬ 
trix, G, in which the rows of the matrix form a basis for the code. The code C, 
then consists of all vectors u = xG, where x runs through all x G S” [19, p. 64]. 

Example 3.17. The (7, 8 , 4)2 code can be represented using the following generator matrix: 

"i 0 0 1 1 0 r 

G= 0 1 0 1 0 1 1 . 

_0 0 1 0 1 1 1 _ 

Each of the 2^ = 8 codewords can then be obtained by using the encoding function, E (x) = 
xG, where x G V 3 . For example, the codeword associated with the vector x = 010 is: 


fl 0 0 1 1 0 1] 

£( 010 )= 010 - 0101011 = 0101011 . 

1_0 0 1 0 1 1 ij 

For each linear code C, there exists an associated linear code called its dual, which we 
denote by C^. This code consists of all vectors v G S" such that 

uv^ = 0, Vu G C. 

For example, the dual of the (7,8, 4)2 code given in Example 3.17 is a (7,16,3)2 Hamming 
code. We refer to a code which is its own dual as a self-dual code. The distance of the dual 
code of C is further denoted d^. 


Lemma 3.18. [19, p. 54] Let A be an orthogonal array OA{m,n,s,t) with 
entries from F^. Then any t columns of A are linearly independent over F^. 
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Proof, m X 1 vectors vi,..., Vj with components from a ring R are said to be 
linearly independent over R if the relation 

ciViH-hCfVf = 0, ci,...,qG7?, (3.1) 

implies that ci = ■ ■ ■ = C; = 0. An equivalent condition is that the matrix 
[vi ■■■V,] has rank t over R. Now let be any t columns of A, and 

suppose (3.1) holds. There is a row vector i with the first entry equal to 1 and 
others 0. Then (3.1) implies ci = 0. Similarly C 2 = ■ ■ ■ = Cf = 0 [19, p. 54]. ■ 

Lemma 3.19. [19, p. 54] Let A be an m x n matrix whose rows form a linear 
subspace of¥^k. If any t columns of A are linearly independent over F^, then A 
is an orthogonal array OA{m^n^sd). 


Proof Suppose m = s^, and let G be an f x n generator matrix for A, so that the 
rows of A consist of all n-tuples ^G, where ^ = (i^i,..., ^f), G F^. Choose 
t columns of A, and let Gi be the corresponding f x t submatrix of G. Clearly 
the columns of Gi are linearly independent. The number of times that a t-tuple 
z appears as a row in these t columns of A is equal to the number of ^ such that 

^Gi=z. 

Since Gi has rank t, this number is for all z. Therefore A is an orthogonal 
array of strength t [19, p. 54]. ■ 

We are now in a position to introduce the following important theorem which establishes 
the connection between orthogonal arrays and linear codes and specifies how the strength of 
a linear orthogonal array is related to the associated linear code. Although we use Hedayat’s 
proof of the theorem here, the theorem itself is attributed to Bose who included the result 
in his 1961 paper [2]. 
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Theorem 3.20. [19, p. 66] If C is a {n,m,d)s linear code over with 

dual distance d^ then the codewords of C form rows of an orthogonal ar¬ 
ray OA{m^n^s^d^ — 1) with entries from F^. Conversely, the rows of a linear 
orthogonal array OA{m,n,sd) over ¥s form a {n,m,d)s linear code over F^ 
with dual distance d^ >t If the orthogonal array has strength t but not 
t-\-l, d^ is precisely t-\-\. 

Proof (=^) Suppose C is a {n,m,d)s linear eode over F^ with dual distanee 
d^. Let A be the array formed by the eodewords of C. Any d^ — I eolumns 
of A must be linearly independent over F^, or else there would be a eodeword 
of weight less than d^ in the dual eode, whieh would eontradiet the hypothesis 
that d^ is the minimal nonzero distanee in the dual eode. By Lemma 3.19, A 
is an OA{m,n,s,d^ — 1). 

{^) Conversely, let C be the eode assoeiated with a linear OA{m,n,s,t). By 
Theorem 3.18, any t eolumns of the array are linearly independent, so there 
eannot be a eodeword of weight t or less in c^. If the array does not have 
strength t + 1, some t + 1 eolumns are dependent, and so there is a eodeword 
of weight t + 1 in the dual eode, henee d^ = t-\-1 [19, p. 66]. ■ 

The eoneept of dual eodes is important in the study of orthogonal arrays. As seen above, 
it allowed us to establish the eonneetion between orthogonal arrays and linear eodes in the 
proof of Theorem 3.20. Moreover, sinee orthogonal arrays ean be ereated using linear eodes 
and linear eodes are either self-dual or give rise to dual eodes, this frequently results in eon- 
neetions between pairs of orthogonal arrays. For example, the eodewords of the (7,8, 4)2 
eode, C, from Example 3.17 form a tM(8,7,2,2) orthogonal array, while the eode words 
of its dual eode, C^, (7,16,3)2, creates a OA(16,7,2,3) orthogonal array. We shall later 
extend the concept of duality to correlation immune generalized Boolean functions which 
were created using orthogonal arrays. Having covered a sufficient amount of background 
information, we are now in a position to introduce our construction method for higher order 
correlation immune generalized Boolean functions. To motivate the technique, we begin 
again by considering the “folklore” construction. 

Consider a C/(l) function / G which was created using the fo lk lore construc- 
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tion. Here the linear strueture, a = 11111, is used to partition V 5 and for all x G V 5 , 
/(x) = /(x©a). In particular, the set of input vectors {00000,11111} are mapped to the 
same output value. These two vectors constitute the (5,2, 5)2 linear code, and by Theorem 
3.20, they also form the tM(2,5,2,1) orthogonal array. Viewed from an orthogonal array 
perspective, the folklore construction is carried out as follows: Let G = (V 5 ,©) represent 
the abelian group of binary input vectors formed under the © operation. QA(2,5,2,1) is a 
linear orthogonal array since it was created using the linear code (5,2, 5 ) 2 . Since (5,2, 5)2 
is a linear code, it forms a subgroup of G. Let Oq = QA(2,5,2,1). For each lexicographic 
ordered input vector x from 00001 to 01111 we form the cosets, G/, 1 < / < 15, of Oq by 
adding x to the each of the two row vectors in Oq. Then = V 5 and we have parti¬ 

tioned V 5 into 16 pairs of vectors. Moreover, according to Lemma 3.10, each of the cosets 
of Oq is also an (order 1) orthogonal array. Therefore, by mapping the two row vectors 
within each orthogonal array, G,-, to the same output value, c G Zq, we have constructed a 
CI(1) function. 

The benefit of this construction method is that it allows us to use any linear orthogonal array 
(m,n, 2 ,t), where m = 2 ^ and n > £, to build a correlation immune (order t) generalized 
Boolean function / G ^ where q = 2"“^. 


Algorithm 4 CI{t) generalized Boolean function construction 

1; Select a linear orthogonal array A = OA(m,n,2,t), where m = 2^ and n> i. 

2: for <: = 1 to m do 

3: Add row vector x* G A to the set Oo- 

4: end for 

5; Add Oo to the set, S, of orthogonal arrays. 

6: fory= 1 to2"-^-1 do 

7: Select a vector ay G V„, such that WOh G S, where k < y, ay ^ O*. 

8; for (■ = 1 to m do 

9: Compute y, = x,- © ay, where x, are row vectors in Oq- 

10; Addy,toOy. 

11; end for 

12: Add O, to 5. 

13: end for 

14; Select a permutation, p, of the set {1,2, 

15: for i = 1 to 2"-^ do 

16: Reorder the columns, Cj, /: = 1 to n, of O, such that = c,,, ,Cp 2 i • --Spn, where p„ is the element of p. 

17: end for 

18: for A = 1 to 2"-^^ do 

19: Select an output value Ch E 1^q,2 < q < 2"“^. 

20: for (■ = 1 to m do 

21: Save the ordered pair, {x,-, c/,} , where x, G , to a 2D array, /. 

22: end for 

23; end for 

24: Sort / so that the first elements of each ordered pair, {x, ,cy,} G /, appear in lexicographic order. 





Proof of Correctness of the CI{t) Generalized Boolean Function Construction: Sup¬ 
pose we wish to create a correlation immune (order t) generalized Boolean function 
/ G using the above described algorithm. We first select a suitable linear orthogonal 
array, Oq = OA{m^ n, 2, t), such that t satisfies the desired correlation immunity order and n 
satisfies the required input variable length for our function. Since Oq is a linear orthogonal 
array, its row vectors form a subgroup of V„. Let m = 2^. By selecting an orthogonal array 
with m such that 2"“^ >qwe ensure that our construction can achieve the requisite number 
of functional output values, q. Moreover, the fact that Oq is simple and forms a subgroup 
of V„ guarantees that Oq along with its 2"“^ — 1 cosets cover V„. We construct each coset 
Oi, / = 1 to 2"“^ — 1, by selecting a vector a G V„ not present in Oq (or any other coset). 
Lemma 3.10 tells us that each of these cosets is also an (M(m,n,2,t) orthogonal array. 
Having done so, we have thus partitioned V„ into 2”“^ orthogonal arrays each of strength 
t. We now select one of the n\ possible permutations, p = {pi,p 2 , • • • of the integers 
{1,2,..., n}, where pn is the element of the set p. Let Oi= [ci, C 2 ,..., c„], where Cj, 
l<J<n, represents a column vector. We reorder the columns of each orthogonal array Oi 
such that = [Cp^,Cp^,. • -Cp^]. Since by Definition 3.8, each Ou z = 0 to 2"“^ — 1, must 
contain all 2^ possible row vectors for any combination of t columns, each resultant array 
O^f^ will remain an orthogonal array. Moreover, while the column reordering will alter 
the vectors which occur within each orthogonal array 0^f\ the set of all orthogonal arrays 
0^f \ z = 0 to 2””^ — 1, will still cover V„. To recognize that this is indeed the case, consider 
the following: The set of simple orthogonal arrays S = {Oq,Di, • • ■,D 2 «-^-i} covers V„. 
There are a total of 2” row vectors in V„, each of which is unique. Since we respect the 
same reordering scheme, = [Cpj, Cp 2 , ■ ■ • Cp„], for z = O to 2"“^ — 1, it must be the case 
that each vector in ^, O ^^^,..., ^ j} is also unique. Since there are also 2" 

row vectors in , it must be the case that the set of modified orthogonal arrays S^p^ also 
covers V„. Finally, to each set of input vectors, o\^^ we associate an output value c,- G Z^, 
where q < 2"“^. Since each orthogonal array is strength t, we have thus created a 
CI{t) generalized Boolean function / G 


To illustrate the algorithm further, we provide the following example: 

Example 3.21. Suppose we wish to construct a higher order (t > 1) correlation immune 
generalized Boolean function / G We begin by finding a linear orthogonal array 
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suitable for the task. In this ease, (M( 8 ,5,2,2) is a good eandidate. Let Oq = fM( 8 ,5,2,2). 


Oo = 


0 0 0 0 0 
10 0 11 

0 10 10 

0 0 10 1 
110 0 1 
10 110 
0 1111 
1110 0 . 


Sinee C14(8,5,2,2) is a linear orthogonal array, Oq's row veetors form a subgroup of V 5 . 
We ean therefore eover V 5 by forming the 3 eosets of Oq. To do so, we iteratively proeeed 
as follows: For /= 1 to 3 we form O,- by seleeting a veetor, a G V„, whieh is not present in 
all preeeding orthogonal array’s, Oj, where j < i. Then for eaeh row veetor G Oq, k=l 
to 8, we eompute © a and add it to Oi. Doing so produees the eosets 


Oi = 


00001 

10010 

01011 

00100 

11000 

10111 

01110 

11101, 


02 = 


0 0 0 1 0 

1 0 0 0 1 

0 10 0 0 
0 0 111 
110 11 
10 10 0 

0 110 1 

11110 , 


02 = 


1 0 0 0 0 

0 0 0 1 1 

110 10 
10 10 1 
0 10 0 1 
0 0 110 
11111 
0 110 0 . 


Lemma 3.10 ensures that these newly formed eosets are all OA(%, 5,2,2) orthogonal arrays 
in their own right. We now seleet a permutation, p of the set {1,2,..., 5}, say for example 
p = {2,1,3,5,4}. For eaeh of the orthogonal arrays, Oi, / = 0 to 3, we rearrange the 
eolumns of Oi sueh that = [Cp(i),Cp^ 2 ),Cp{ 3 ),<^p( 4 ),Cp{ 5 )] = [ 02 , 01 , 03 , 05 , 04 ], 



00000 

01011 

10001 

00110 

11010 

01101 

10111 

11100, 



0001 

0100 

1001 

0010 

1100 

0111 

1010 

1111 


0 

1 




1 

0 , 


0 0 0 0 1 
0 10 10 
1 0 0 0 0 
0 0 111 q{p) 

110 11 3 

0 110 0 
10 110 
1110 1 , 


0 10 0 0 
0 0 0 1 1 
110 0 1 
0 1110 
10 0 10 
0 0 10 1 
11111 
10 10 0 . 


By subsequently assigning the same output value from Z 4 to the veetors within eaeh or- 
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thogonal array, say for example ^ —)■ 0, —)■ 1, —)■ 2, —)■ 3}, we create the 

C/(2) generalized Boolean function depicted in Table 3.5: 


Table 3.5: A C/(2) generalized Boolean function f 


Vs 


<30 

aoffiai 

/ 

00000 

0 

0 

0 

0 

00001 

0 

1 

1 

2 

00010 

1 

0 

1 

1 

00011 

1 

1 

0 

3 

00100 

1 

0 

1 

1 

00101 

1 

1 

0 

3 

00110 

0 

0 

0 

0 

00111 

0 

1 

1 

2 

01000 

1 

1 

0 

3 

01001 

1 

0 

1 

1 

01010 

0 

1 

1 

2 

01011 

0 

0 

0 

0 

01100 

0 

1 

1 

2 

01101 

0 

0 

0 

0 

OHIO 

1 

1 

0 

3 

01111 

1 

0 

1 

1 

10000 

0 

1 

1 

2 

10001 

0 

0 

0 

0 

10010 

1 

1 

0 

3 

10011 

1 

0 

1 

1 

10100 

1 

1 

0 

3 

10101 

1 

0 

1 

1 

10110 

0 

1 

1 

2 

10111 

0 

0 

0 

0 

11000 

1 

0 

1 

1 

11001 

1 

1 

0 

3 

11010 

0 

0 

0 

0 

non 

0 

1 

1 

2 

11100 

0 

0 

0 

0 

11101 

0 

1 

1 

2 

lino 

1 

0 

1 

1 

11111 

1 

1 

0 

3 


Given the fact that Algorithm 4 makes use of column permutations when constructing gen- 
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eralized Boolean functions, it is of interest to investigate when such actions result in new 
orthogonal arrays and partitions of V„. 

Definition 3.22. An orthogonal array whose set of row vectors remains invariant under the 
full symmetric group S„ of column permutations is called a symmetric orthogonal array. 

Example 3.23. The orthogonal array tM(4,3,2,2): 

0 0 0 

0 = ° ‘ 1 
1 0 1 
1 1 0 

is a symmetric orthogonal array, since the set of O’s row vectors remain invariant under the 
full symmetric group S 3 of column permutations. 

Remark 3.24. Given an orthogonal array, O = tM(m,n,2,t), it is a relatively straightfor¬ 
ward matter to check whether or not it is symmetric. Let H represent the set of Hamming 
weights of all m row vectors in O. In order for O to be a symmetric orthogonal array, for 
each Hamming weight, h ^ H, O must contain all vectors, x G V„, such that wt{x) = h. 

Lemma 3.25. Given a symmetric linear orthogonal array O = ,n,2,t), the re¬ 

maining set of vectors Yn\0 also forms a symmetric orthogonal array. 

Proof. Let Oq be a symmetric linear orthogonal array (M(2"^\ n, 2, t). Since Oq is a linear 
orthogonal array, the row vectors of Oq form an order 2""^ abelian subgroup, O < (V„, ©). 
We select a vector a G V„ which is not present in Oq and add it in turn to each row vector 
in Oq. The resultant set of vectors, Oi, is the coset of Oq and OqUOi = V„. Moreover, 
according to Lemma 3.10, Oi is also a OA{2''^^,n,2,t) orthogonal array. Let H represent 
the set of Hamming weights of all row vectors in Oq. Since Oq is symmetric, it must be the 
case that for each, h G H, Oq contains all vectors, x G V„ such that wt(x) = h. This in turn 
means that Oi contains all vectors y G V„ such that wt{y) G \//, thus demonstrating that 
0\ is also a symmetric orthogonal array. ■ 

Definition 3.26. A partition of V„ which remains invariant under the full symmetric group 
Sn of column permutations is called a symmetric partition. 
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Remark 3.27. Lemma 3.25 demonstrates the fact that binary symmetric linear orthogonal 
arrays with n constraints and size 2"“^ give rise to symmetric partitions of V„. However, it 
is possible for a partition containing subsets, some of which are not symmetric, to nonethe¬ 
less be symmetric. To illustrate the point, consider the following: 

Example 3.28. Below we list the linear orthogonal array Oq = OA{2, 4,2,1) along with its 
7 cosets: 


0 

0 

0 

0 

Oi = 

0 

0 

0 

1 

02 = 

0 

0 

1 

0 

03 

1 

1 

1 

1 

1 

1 

1 

0 

1 

1 

0 

1 

1 

0 

0 

1 

0 

1 

0 

1 

05 = 

0 

1 

0 

1 

1 

0 

1 

0 

0(,= 

0 

1 

1 

0 

0 

1 

1 

0 

Oi 



While Oq clearly is a symmetric linear orthogonal array, given that it remains invariant 
under all column permutations, each of its cosets are not. Despite this fact, the set of all 
orthogonal arrays, P = {Oq, Oi,..., O 7 }, is nonetheless symmetric. The reason for this is 
that P forms a group under the set E of the 4! column permutations. For example, for one 
such column permutation a = 4123 


/ Oq 0\ O 2 O 3 O 4 O 5 0(, Oj 

V Oq O 4 0\ O 2 O 3 O 7 Og O 5 


(6>i O4O3O2) • 


Proposition 3.29. The partition ofYn used in the folklore C/(l) construction is symmetric. 


Proof. The folklore construction partitions V„ into 2"~^ pairs of complementary vectors. 
Every column in each pair contains complementary bits. For each vector pair x and x, any 
column permutation a therefore produces a pair of complementary vectors x' and x'. Since 
each vector in the partition is unique and o is applied to all vector pairs, the permutation 
results in 2 "^^ pairs of complementary vectors. ■ 


A nonsymmetric partition of V„ gives rise to multiple partitions of V„ under the set of 
column permutations. The exact number of resultant partitions depends upon the partition 
in question, but is bounded above by n!. 

Theorem 3.30. Let O = C14(2^,n,2,t), n > £, be a linear orthogonal array, and let F 
represent the set of distinct correlation immune (order t) generalized Boolean functions 
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/ G ^ where ^ = 2" The number |F| of distinct CI{t) generalized Boolean functions 
that can be constructed using O and Algorithm 4 is bounded by: 

0 2 "^^ 0 
(2"-^) <\F\<n\{T-^) . 

Proof Let O = 6>A(2^,n,2, ?), £ < n — 1, be a linear orthogonal array. If O is symmetric 
and gives rise to a symmetric partition P of the set of partitions produced by column 
permutations is singular. Since O is a linear orthorgonal array, O along with its 2"“^ — 1 
cosets (each of which also are OA{2^, n, 2, t) orthogonal arrays) therefore cover V„. In order 
to ensure correlation immunity (order t) we assign the same output value to all row vector 
within each of the 2"“^ orthogonal arrays. Assigning a unique value to each orthogonal 
array establishes the maximum size of the image of /, |/(V„)| = 2”~^. For each of the 
2 «-£ orthogonal arrays in P there are ^ = 2"“^ choices for the output value, which in turn 
establishes the stated lower bound of (2"“^) . If, on the other hand, the partition P is 

nonsymmetric, then the set of column permutations will produce several distinct partitions 
of V„. Consider the extreme case: Suppose O contains row vectors, each of which has 
unique Hamming weight and each column of O is also unique. In this case, each of the n\ 
column permutations of O would produce a unique orthogonal array . Each of these is a 
linear orthogonal array, and thus along with its cosets gives rise to a unique partition of V„. 
Each of the n \ partitions contain 2"^^ orthogonal arrays, so the maximum size of the image 
of / is again |/(V„) | = 2"“^. Eor each of the 2"“^ orthogonal arrays in a given partition, 
there are q = 2”“^ choices for the output value. Hence, as before, for each partition there 
are (2"“^) possible ways of assigning OA-output value pairs. Thus, the upper bound 
for the total number of CI{t) generalized Boolean function we can construct with O and 
Algorithm 4 is bounded above by n!(2"“^) . ■ 

Given the construction method of Algorithm 4, the maximum number of output values 
which correlation immune generalized Boolean function / G can achieve is 2”/m, 
where m is the size of the linear orthogonal array OA{m^ n, 2, t). We use this fact along with 
the Singleton bound to establish bounds on the size of the image of /. 

Theorem 3.31 (Singleton bound for CI{t) generalized Boolean functions). Let f G 
be a CI{t) generalized Boolean function constructed using a linear orthogonal array 
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0A{m,n,2,t) and Algorithm 4. Then the size of the image of f is bounded by 


where d is the minimum distance of the linear code associated with the linear orthogonal 
array. 


Proof Let O be the linear orthogonal array tM(m,n,2,t) which was used to construct / 
in accordance with Algorithm 4. Let C denote the linear code associated with O, let |C| 
denote the number of codewords in C, and let d denote minimum distance for C. Then 
m = |C|. C is a linear code, therefore it is simple. From Theorem 4.20 [19, p. 79] we know 
that, for a set of vectors C of length n with minimal distance d and strength t 

f < |C| <5""'^+^ 

where s is the vector alphabet size and the right-hand side bound assumes that C is a simple 
code. Letting s = 2 we then have: 


2 ‘ < |C| < 2""'^+^ 

Algorithm 4 partitions 14 into subsets of size m, each of which is subsequently assigned an 
output value from Zq. The maximum size of the image of / is therefore 2"/m = 2"/|C|. 
This number is largest when |C| is smallest and vice versa. Therefore: 

2n^{n^d+l) < |/(V„)| <2"~^ 


which establishes the stated bounds on the cardinality of the image of /. ■ 

Proposition 3.32 (CI{t) generalized Boolean functions duality). Let O be an OA{m, n, 2, t) 
linear orthogonal array and let C be its corresponding (n,m, J )2 linear code. Let be 
the dual code ofC and let represent the dual orthogonal array associated with C^. 
Let F represent the set of correlation immune (order t) generalized Boolean functions that 
can be constructed using O and Algorithm 4. If n is odd, or if n is even and the Hamming 
weight of at least one of O’s row vectors is not divisible by 2, then there exists a set of 
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correlation immune generalized Boolean functions which can be constructed using O^. 


Proof. This is a direct consequence of Theorem 3.20 and the existence of dual codes. Bi¬ 
nary linear (even or doubly-even) self-dual codes occur when n is even and the Hamming 
weight of each codeword is divisible by 2 or 4 respectively [26, p. 27]. By stipulating that 
either n be odd, or n be even and O contain at least one row vector which is divisible by 2, 
we ensure that C is not a self-dual code. This means that a distinct linear orthogonal 
array exists which can in turn be used in conjunction with Algorithm 4 to generate F^. ■ 

Proposition 3.33. Let u>\, l<n — \ and q < 2"“^. When constructing correlation im¬ 
mune functions using Algorithm 4, Cl (2u) functions f G exist if and only ifCI{2u-{- 1) 

functions f G exist. 


Proof. This is a direct consequence of Theorem 2.24 by Hedayat, Sloane and Stufken 
[19, p. 28], which states: An OA{m,n,2,2u) orthogonal array exists if and only if an 
OA(2m, n, 2, 2m -h 1) orthogonal array exists. In the interest of brevity, we omit their proof 
here. The interested reader may refer to their work for the proof of this orthogonal array 
result. ■ 


There are many known linear orthogonal arrays which are suitable for constructing higher 
order correlation immune generalized Boolean functions / G using the method out¬ 
lined in Algorithm 4. Using [19] and [41] we have, for the benefit of the reader, compiled 
an (incomplete) list of function parameters, n, q and t, along with the parameters of corre¬ 
sponding known linear orthogonal arrays in Table 3.6. Additionally, several of these linear 
orthogonal arrays can be found in Appendix C. 
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Table 3.6: Some orthogonal arrays and associated generalized Boolean function parameters 


n 

<?< 

cm 

OA 

5 

4 

2 

(9A(8,5,2,2) 

6 

4 

3 

(9A(16,6,2,3) 

1 

16 

2 

(9A(8,7,2,2) 

1 

8 

3 

(9A(16,7,2,3) 

8 

16 

3 

(9A(16,8,2,3) 

9 

4 

5 

0A{2\9,1,5) 

12 

4 

7 

^(21°, 12,2,7) 

15 

2“ 

2 

(9A(16,15,2,2) 

15 

2^ 

3 

(9A(22, 15,2,3) 

15 

2’ 

4 

(9A(2^ 15,2,4) 

16 

2“ 

3 

(9A(32,16,2,3) 

16 

32 

7 

(9A(2ii, 16,2,7) 

18 

8 

9 

(9A(2i5,18,2,9) 

20 

2“ 

5 

^(29,20,2,5) 

24 

214 

5 

^(2111,24,2,5) 

24 

212 

7 

(9A(2i2,24,2,7) 

31 

226 

2 

(9A(32,31,2,2) 

32 

226 

3 

(9A(64,32,2,3) 

32 

221 

5 

(9A(2ii,32,2,5) 

32 

2^ 

15 

(9A(226,32,2,15) 


3.4 New From Old Correlation Immune Generalized Boolean 
Functions 

In his original paper [40], Siegenthaler provided a eonstruetion of a large elass of eorre- 
lation immune (order t) funetions on n + 1 variables by eoneatenating the truth tables of 
two n variable eorrelation immune (order t) Boolean funetions. This method, along with 
the proof of its eorreetness, ean be found in Cusiek and Staniea’s book on Cryptographie 
Boolean funetions [11, p. 74]. We extend here their theorem (4.20) so that it applies to gen¬ 
eralized Boolean funetions. Before doing so, it is however neeessary for us to generalize 
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Lemma 4.2 (f) [11, p. 56], also contained in their aforementioned monograph. 

Lemma 3.34. Let f G be a generalized Boolean function and letx = .. ^Xn) G V„ 

be an input vector of f. Let y = be made up of an arbitrary choice oft of 

the variables xi, and let yo = (yi,... ,yf) be any fixed binary t-vector Let wt{f\c) denote 
the number of occurrences of c in the truth table of f. If f is correlation immune of order 
t, then for all y and for each yo, Pr{f{x) = c|y = yo) = Pr{f{x) = c) = • 


Proof Let / G be a correlation immune (order t) generalized Boolean function. 

Then, since / is correlation immune of order t, for all c we have 


n/ 1 ^/^ ^ My = yon/(x) =c) i ^ ^ ^ M/(x)=c) 

Pr{y = yo l/(x) = c) = —^ ^ = yo n/(x) = c) =-- 


and 


M/(x)=c|y = yo) 


^^(/(x) =cny = yo) 

Priy = yo) 


^^(/(x) =c) _ Prjfjx) =c) _ wt{f\c) 
2t ■ Pr{y = yo) 2^ ■ 2^^ 2" 


Theorem 3.35. Let x = (v:i,...,.r„) and suppose that we have correlation immune (order t) 
generalized Boolean functions, f\, fi^ ^ such that'ic G /i(V„) = fiiyn), ^^(/i(x) = 
c) = Pr{f 2 {x) = c) = p. Then the function f ofn + 1 variables defined by 

f{x,Xn+\) =.r„+i/i(x) + (v:„+i © l)/ 2 (x) (3.2) 

is also correlation immune of order t and satisfies Pr{f(x) = c) = p. 

Proof Let y = (©(i),... ,©■(;)) be made up of an arbitrary choice of t of the variables, xi, 
and let yo = (yi, ■'' ?©) be any fixed binary t-vector. Then since /i and /2 do not depend 
on Xn^i we have for either fixed choice of the bit b, and z = 1 or 2, 


Pr{fi = c\y = yo,^«+i =b)= Pr{fi = c\y = yo) = Pr{fi = c), (3.3) 


where the second equality follows from our hypothesis that fi is correlation immune of 
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order t and using Lemma 3.34 above. Now (3.2) and (3.3) imply 


Pr{f = c\y = yo,^n+i = 1) = Pr{fi = p) 


and 

Pr{f = c\y = yo,^«+i = 0) = Pr{f 2 = p) 


so we obtain 

Pr{f = c\y = yo,^«+i =b)= Pr{f = c)=p. 

This implies that the value of / is independent of the ehoiee of any subset of t of the n+\ 
input variables, so / is eorrelation immune of order at least t. ■ 

Example 3.36. Table 3.7 provides an example of generalized Boolean funetions whieh was 
eonstrueted using Theorem 3.35. 

Table 3.7: A Siegenthaler constructed C/(l) function / G ^.^4 


V4 

ao 

ai 

/ 

0000 

0 

0 

0 

0001 

1 

1 

3 

0010 

0 

1 

2 

0011 

1 

0 

1 

0100 

1 

0 

1 

0101 

0 

1 

2 

0110 

1 

1 

3 

0111 

0 

0 

0 

1000 

0 

1 

2 

1001 

1 

0 

1 

1010 

1 

1 

3 

1011 

0 

0 

0 

1100 

0 

0 

0 

1101 

1 

1 

3 

1110 

1 

0 

1 

nil 

0 

1 

2 


In the above example we see how eorrelation immune (order 1) Boolean funetions ean be 
used to eonstruet new eorrelation immune (order 1) generalized Boolean funetions. Care 
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must however be taken to ensure that all stipulated requirements are satisfied by the two se- 
leeted generalized Boolean funetions before proeeeding with the eonstruetion. To illustrate 
the point, eonsider the following example in Table 3.8: 

Table 3.8: A correlation immune generalized Boolean function construction failure 


V3 

ao 

ai 

/ 

000 

1 

0 

1 

001 

0 

1 

2 

010 

0 

1 

2 

Off 

1 

0 

1 

100 

0 

0 

0 

101 

1 

1 

3 

110 

1 

1 

3 

111 

0 

0 

0 


In this case, both Boolean functions uq and ai are C/(l), yet the generalized Boolean func¬ 
tion / fails to be correlation immune. The cause of the failure lies in the fact that, in 
order for the generalized Siegenthaler construction to work. Theorem 3.35 requires that 
the two generalized Boolean functions f\ and /2 are such that Vc G /i(V„) = / 2 (V„), 
Pr{fi{x) =c)= Pr{f 2 ix) =c)=p. In this instance, /i(V„) = {1,2} ^ {0,3} = / 2 (V„). 
This disagreement between the output values in the first and second half of the truth table 
of / results in the associated conditional probabilities not equaling the required values. For 
example, Pr{xi = l|/(x) = 3) = 1. 

3.5 Necessary and Sufficient Conditions for Correlation 
Immune Generalized Boolean Functions 


Suppose, as depicted in Figure 3.1, we wish to design a ^-ary sequence generator that uses 
k linear feedback shift registers (LFSRs) which in turn feed a generalized Boolean function 
/ e /(x) = Ey 24 ^(x), where aj G ^n- 
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Registers: 





Figure 3.1: q-ary sequence generator 


Suppose further that we wish to ensure that our function is immune to correlation attacks. 
Considering the problem for a moment, we quickly recognize that the ^-ary nature of the 
output sequence does not provide any additional security. By binary expansion of each of 
the output values in the sequence, an attacker could simply employ a divide-and-conquer 
approach and perform k separate correlation attacks, one on each of our function’s k con¬ 
stituent Boolean functions aj. Clearly in order for a generalized Boolean function / G 
used in this manner to be considered correlation immune, the governing Cl criteria must be 
satisfied by each of the constituent Boolean functions aj, 0<j<k-L 

Lemma 3.37. Let f & be a correlation immune (order t) function and letYn represent 
the set of binary input vectors, x = (xn, ■ ■ ■ ,xi). Let c G f(Yn) be an output value of f 
and Vc = {x G V„ : /(x) = c}. Let y = (.r,(i),.. ■ ,.r,(f)) be an arbitrary choice oft of the 
variables, Xi, and let yo = (yi, ■■ -yt) be any fixed binary t-vector. Assume that there exists 
a partition Vc — WJ-, Wi U Wj = %, ifi j, and for all W G {Vki,..., Wr} and for each yQ, 
Pr{y = yo I f\w = c) = Then for all U = Llic{i, 2 ,...,r}Wi, Pr{y = yo | f\u = c) = 
for each yq. 

Proof Let / G be a correlation immune (order t) function. Let c G /(V„) be an 
output value of / and let 1^ — ^ : /(x) = c}. Let (Vki,..., be mutually disjoint 

sets which partition Vc such that for every Wi G {Vki,..., Wr} and Vy and each yq: Pr{y = 
yo I f\ Wi) = Without loss of generality, let U be an arbitrary union of 5 sets chosen 
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from {Wi,..., Wr}, where 2 < s < r. Sinee for eaeh Wi involved in U and Vy and eaeh yo: 
Pf{y = yo I /|vK, = c) = it must be the ease that there are 2^^ | W/| vectors x G Wi, which 
satisfy each condition y = yo for each subset Wi. The subsets W,- are disjoint, therefore, the 
total number of vectors which satisfy each specific condition, y = yo, is 


2 ' 2 ' 2f 


1 


1 


U 


This in turn means that Pr{y = yo | f\u = c) = 2 \ regardless of our choice of U. ■ 

Theorem 3.38. If f is a correlation immune (order t) generalized Boolean function, then 
all of its constituent Boolean functions are also correlation immune (order t). 


Proof Let x G V„ and let / G be a correlation immune (order t) generalized Boolean 
function, where /(x) = Y1^^q 2^aj(x), aj G ddn- Suppose c G /(V„). Let C 2 (j) represent 
the bit of the binary expansion of c, such that /(x) = c and aj{x) = C 2 ( 7 )- Since, 
C 2 U) ^ ^ 2 , for each function aj, the binary expansion of the elements of /(V„) partition 
V„ into disjoint sets Vo(i),f^o( 2 ), • ■ • ,^o(r) and yi(i),yi( 2 ), • • ■, Vi(^), such that r + s= |/(V„)| 
and for all x G Vo(y), where 1 < 7 < r, aj{x) = 0 and for all x G where 1 < 5 < 5 , 
aj{x) = 1. Let y = be made up of an arbitrary choice of t of the variables, xi, 

and let yo = (yi,... ,yt) be any fixed binary t-vector. Then, since / is correlation immune 
(order t), for each yo and for every c G /(V„), we know that Pr{y = yo|/(x) = c) = 2^K 
This in turn means that for each Vo( 7 ) and each Pr{y = yo | (x) = 0) = Pr{y = 

yo I /I (x) = 0) = 2^k Turning our attention to the Boolean function, aj, this implies that 
for each yo and every yo(y) and V^s f Priy = 70 I |vo(y) (x) = 0) = Pr(y = yo | a^-|vo(S) (x) = 
0) = 2^k This can be viewed as a relabeling of /’s outputs from c to C 2 {j)- If it were not 
possible to succeed in doing so, it would mean that / failed to be CI(0 for one or more of 
its output values c. Given this partitioning of aj into individually CI(0 components, we let 
Vb = Uj^^jyo( 7 ) and V\ = and apply Lemma 3.37 which tells us that for each yo, 

P^{y = yo I ^;|vo(*) = 0 ) = Pr{y = yo | aj\v^ (x) = 1) = 2 ^^ thus demonstrating that for all 
0 < J < ^ <27 is a correlation immune (order t) Boolean function. ■ 

Theorem 3.38 guarantees that generalized Boolean functions which are correlation im¬ 
mune are not susceptible to binary output decomposition followed by correlation attacks 
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carried out on its Boolean function components. However, since cryptographers may wish 
to construct correlation immune generalized Boolean functions using correlation immune 
Boolean function as building blocks, we would also like to establish the criteria under 
which such functions ensure the resultant generalized Boolean function is correlation im¬ 
mune. As previously observed in Table 3.8, the fact that a generalized Boolean function / 
has Boolean functional components, all of which are correlation immune, is not sufficient 
to ensure that / itself is correlation immune. 

Lemma 3.39. LetX and Y be rectangular arrays, each containing m rows of binary vectors 
of length n. 


.rii 

X12 ■ 

Xln 


yn 

yi 2 ■ 

■■ yin 

X 21 

^22 ■ 

^2n 

Y = 

y2i 

y22 ■ 

■■ y 2 n 


^m2 

^mn 


ymi 

ym2 

ymn 


Let Xj and yj represent the column vector of each respective array. Then, X and Y 
contain identical multisets of row vectors if and only if, for all j, I < j < n, wt{xj) = 
wt(jj) and the pairwise distances between column vectors, d(xj,Xk) = d{yj,yk) for all 
combinations j,k, where l<j,k<n. 

Proof (^) Let X and Y be rectangular arrays each of which contain m rows of binary 
vectors of length n. Let the row vectors of X and Y be exhaustively constructed using iden¬ 
tical multisets of size m. Let Xj and y j represent the column vector of each respective 
array. For each array, there are m! orderings of the row vectors. Without loss of generality, 
select one such ordering for X and one ordering for Y. Now, X and Y were exhaustively 
constructed using row vectors taken from identical multisets, so despite any possible dif¬ 
ferent orderings, for all j, I < j < n, wt{xf) = wt{yf). For each array, X and Y, we now 
create ( 2 ) sub-arrays and 7(2 ^) where each row i, from 1 to m, has elements {xij,Xif) 
or {yij,yik), respectively. Since X and Y have row vectors taken from identical multisets of 
size m, for each possible combination j and k, \ < j,k < n, it must also be the case that 
each sub-array X(^j k) and form identical multisets of two element row vectors. In or¬ 
der for d{xj,Xk)) 7 ^ d{yj,yk)) it would mean thatX(^j k) and had different multisets of 
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two-element row veetors. Sinee this is not the ease, we conclude that d{xj,Xk) = d{yj,yk) 
for all combinations 7 , k, where 1 <j,k<n. 

(«^) Let X and Y be two rectangular arrays each containing m rows of binary vectors 
of length n. Let xj and yj represent the /* column vector of each respective array, and 
let X and Y be such that for all j, I < j <n, wt{xj) = wt{yj) and for all combinations of 
columns j,k, where 1 <j,k<n, d{xj,Xk) =d{yj,yk). For each array, create ( 2 ) sub-arrays 
and Fj-y where each row i, from 1 to m, has elements or {yij,yik) respec¬ 

tively. To each sub-array, and associate the 3-tuple (wt(xy), wt(x^), J(xy,x^)) or 
{wt{yj),wt{yk),d{yj,yk)), respectively. Now, J(xy,x^)) = and d{yj,yk)) = 

T.'iLiyij®yik- Therefore, the parity of the bits in each specific column of row i differ for 
each bit combination (1 ©0 and 0 © 1 ) which contributes to the cumulative distance be¬ 
tween the column vectors. This is also the case for bit combinations (1 © 1 and 0©0) 
which do not contribute to the cumulative distance. Consequently, it is not possible to ob¬ 
tain two similar distance values between column vectors using different bit combinations, 
without altering the respective column weights. Our 3-tuples {wt{xj),wt{xk),d{xj,xk)) 
and {wt{yj),wt{yk),d{yj,yk)) are therefore unique irrespective of row vector order. Since 
wt{xj) = wt{yj) for all i, I < i < n and d{xj,Xk) = d{yj,yk) for all combinations of 
columns j,k, where I < j,k < n, it must be the case that (wt(xy),wt(x^), J(xy,x^)) and 
{wt{yj),wt{yk),d{yj,yk)) agree for allX^^vt) and We have thus shown thatX and F 
must contain the same multisets of row vectors. ■ 

Theorem 3.40. Let f = fiWfi be a generalized Boolean function created using the gen¬ 
eralized Siegenthaler construction in Theorem 3.35, such that f G 

and fi and f 2 are both correlation immune (order t) functions. Let /i(x) = aj{x) 

and / 2 (x) = Y^jZ^'^^bj(x), where aj,bj G and x G V„. Then f is correlation immune 
(order t) if and only if for all j and h,Q< j,h<k-l, the Boolean functions ay and by are 
such thatwt(Hj) = wt(by) and the pairwise distances J(ay,a/,) = J(by,b/,). 

Proof. (^) Let / G be a generalized Boolean function created by concatenating 

two CI(t) generalized Boolean functions /i ,/2 G in accordance with Theorem 3.35. 
The function / is correlation immune (order t), so it must be the case that for all x G V„ 
and all output values c G c G /i(V„) fl /i (V„), and Pr(f\ (x) = c) = Pr{f 2 {x) = c). Let 
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c^{j) represent the /* bit of the binary expansion of c, such that for 0 <i<k-l,fi{x)=c 
and aj{x) = C 2 {j) and / 2 (z) = c and bj{z) = C 2 {j)- Consider the two 2" x A: arrays of truth 
table values for and hj: 


ao 

ai 

a^_i 

fi 


ai.i ■■ 

fl'i./t-i 


fl' 2,0 

a2,i 


/2,1 

fl' 3,0 

fl' 3,1 


h,i 

a2",o 

a2",i 


/2",1 


bo 

bl 

b^:_i 

f2 

bi,o 

^1,1 •' 

bl,k-l 

fl,2 

b2.0 

^2,1 

b2,k-i 

ha 

bj,fi 

^3,1 

^3,/t-l 

ha 

^2",0 

^2",1 

^2",it-l 

h",2 


Since the probabilities of c occurring in the two functions must be equal, the number of in¬ 
stances of c in fi and f 2 must be the same. This in turn means that the number of instances 
of C 2 occurring as a row vector must be the same for both arrays. By Lemma 3.39 the two 
arrays are such that for all j and h, I < j^h < k — I, wt{aj) = wt{hj), and all pairwise 
distances d{a.j,^h) = 


(«^) Let /i and /2 be two n-variable correlation immune (order t) generalized Boolean 
functions. Let /i(x) = and / 2 (x) = Y!^j^Q2^bj{x), where aj,bj G and 

X G V„. For all j and h , where 0 < j,h < k — 1, let the Boolean function truth tables 
be such that wt{aj) = wt{hj) and d{a.j,ah) = d{hj,hh). This ensures that each function’s 
2" xk array of Boolean values contain the same multisets of binary row vectors. For each 
A:-long binary vector C 2 in each multisets, there exists a corresponding value c G in 
respective truth tables of fi and f 2 . Thus if the frequency of each distinct binary row vector 
agrees between the two multisets, so too does the frequency of each value c in fi and f 2 . 
We therefore conclude that for all c, Pr{fi{x) = c) = Pr{f 2 {x) = c). Moreover, since /i 
and /2 also agree with respect to dimension and correlation immunity order, we satisfy the 
requisite preconditions under which the generalized Siegenthaler construction may be used. 
Carrying out the construction we thus create the generalized Boolean function f = f\ II/ 2 , 
where / G According to Theorem 3.35 this function is correlation immune of 

order t. ■ 
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Theorem 3.41. Let f G be the generalized Boolean function /(x) = 
where 0 <j<k-l, ajeddn and X G V„. Then f is correlation immune (order t) if and 
only if all Boolean functions aj are CI{t) and use the same partition P ofY„ consisting of 
q orthogonal arrays, Oj, each of strength t. 

Proof (=^) Let / and the functions aj be as described. Let P be a partition of V„ con¬ 
sisting of q orthogonal arrays, Oh, 0 < h < ^ — 1, each of strength t. Suppose that 
for all Oh & P each function aj uses the partition P. Then for each h and all vectors, 

X G Oh, (ao(x),ai(x),. .. ,a;t-i(x)) is a unique binary vector C 2 , and ao(x) -|-2ai(x) H - h 

2^^^ak~i{x) = c G is thus a unique output value for /. Consequently, / is correlation 
immune (order t). 

«=)Lctf G be a correlation immune (order t) generalized Boolean function. Then 
according to Theorem 3.9, associated with / there is a partition P consisting of q strength 
t orthogonal arrays. Oh, 0 < h < ^ — 1, such that for each distinct output value Ch G /(V„), 
there exist an Oh such that O/, = {x G O/, : /(x) = c/,}. Since /(x) = ^^^Q2-^ay(x), this 
means that for each c and all Boolean functions, aj, there must exist an Oh such that 
O/, = {x G O/, : (ao(x),2ai(x),...,2^^^a,t-i(x)) = Ch}- This in turn means that each 
Boolean function aj utilizes the partition P. Moreover, by applying Lemma 3.37 to P 
and each respective Boolean function aj, we conclude that aj is CI{t). ■ 


3.6 Correlation Immunity and the Walsh-Hadamard Trans¬ 
form 

The Walsh transform is a very useful tool when studying Boolean functions. Cusick and 
Stanica provide the following lemma regarding correlation immunity of order t in their 
book on Cryptographic Boolean Functions and Applications [11]: 

Lemma3.42. [ll,p. 56] 

A [Boolean] fimetion /(x) in n variables is correlation immune of order t, \ <t <n, if and 
only if all of the Walsh transforms 

Wfiyt) = £ (-1)/W®*-'^ = 0, 1 < wt(w) < t. 

xeV„ 
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It is certainly possible to define a eorrelation immunity notion based on the Walsh- 
Hadamard transform for generalized Boolean functions. To this end, we say that a gen¬ 
eralized Boolean function / G is generalized correlation immune of order t, denoted 
gCI{t), if and only if = 0, where for all w, with 1 < wt(w) < t. One naturally won¬ 

ders whether or not this eoncept is equivalent to the probabilistic paradigm under which we 
have thus far been operating. We demonstrate in fact, that a function that is C/(l), is also 
gC/( 1), but the converse is in general not true. For simplicity’s sake, we eonsider here only 
the ease when t = \. The basie approach taken in the theorem that follows ean however 
also be used to prove the eases when t > \. 

Theorem 3.43. Let f G be a generalized Boolean function. If f is C/(l), then f is 
sC/(l). 


Proof Let / G be a generalized Boolean funetion and let w G V„ and wt(w) = 1. 
That is, w = (0,... ,0,1,0,... ,0), for some i. Now, 


JC 


= I I 






e=0 


e=0 

x./(x)=e 


x./(x)=. 

Xi=0 


Xi=l 

q-i 

q-l 



= E r- I r 


c=0 c=0 

x./(x)=c x./(x)=c 

Xi=0 Xi=l 

= £ BOcC" - £ BlcC" = £ iloc - T?lc)C", 
c=0 c—0 c=0 


where 77oc = |{.«|/(x) =c,.r, = 0} andr7ic= |{.r|/(x) =c,Xi = 1}. Sinee / is C/(l), rjoc = 
r/ic for all c, therefore J^(w) =0. ■ 


Unfortunately, as we previously diseovered when exploring balaneedness in Chapter 2, 
things in the generalized setting have a tendency of becoming a bit more eomplieated than 
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that which one experiences in the classical Boolean environment. Such is also the case 
when it comes to correlation immunity. While the probabilistic point of view we have 
thus far been operating under is consistent with the correlation immunity notion using the 
generalized Walsh-Hadamard transform, the converse is in general not true. To see that this 
is indeed the case, consider the following generalized Boolean function / G ^SS\. 


Table 3.9: A non — Cl{\) function / G where Hf{yv) = 0 


V4 

0000 

0001 

0010 

0011 

0100 

0101 

0110 

0111 

1000 

1001 

1010 

1011 

1100 

1101 

1110 

nil 

/ 

0 

0 

0 

2 

0 

2 

2 

0 

2 

0 

1 

3 

3 

1 

0 

0 


The 4'* root of unity is ^4 = i. Letting w G {0001,0010,0100,1000}, we compute 
which yields the following: 

.^( 0001 ) = _ p _ p _ p _ p _ p = 0 , 

e^(OOlO) = + P + P + P + P + P + P + P — P — P — P — P — P — P — P — P = 0, 

e^(OlOO) = P + P + P + P + P + P + P + P — P — P — P — P — P — P — P — P — 0 , 

and 

^ 1 1 r^OO'i — ;0 _1_ ;0 1 ;0 , ;2 , -0 , -2 , -2 , -0 -2 -0 -1 -3 -3 -1 -0 -0 _ c\ 

lUUUJ — I ~T I ~T I ~T I ~T I ~T I ~T I ~T I — I — I — I — I — I — I — I — I — U. 

Since the generalized Walsh-Hadamard transform, equals 0 for each Hamming 

weight 1 vector w, the function / is gC/(l). However, by inspection, one quickly ob¬ 
serves that / is not C/(l). For example, the two occurrences of the output value 1 both 
occur in the second half of the truth table. Thus, when considering the most significant 
(lexicographically ordered) bit position i = 4, one must conclude that / cannot be C/(l). 

3.7 Rotation Symmetric Correlation Immune General¬ 
ized Boolean Functions 

Having discussed several methods of constructing correlation immune generalized Boolean 
functions, we now turn our attention to correlation immune generalized Boolean functions, 
which are also rotation symmetric. Rotation symmetric Boolean functions were introduced 
by Pieprzyk and Qu in 1999 [33], though they appear in the work of Filiol and Fontaine [15] 
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as idempotents, the preceding year. These functions remain invariant under cyclic rotations 
of their input vectors, and are of particular importance as components of cryptographic 
hashing algorithms, where they reduce computational complexity by allowing reuse of re¬ 
sults obtained in previous iterations of an algorithm. Building upon our previously devel¬ 
oped foundation of orthogonal array aided constructions, we will in this section extend the 
approach and demonstrate a method for constructing correlation immune and rotation sym¬ 
metric generalized Boolean functions. Before embarking on this endeavor, we cover the 
following requisite material. 

We adopt Cusick and Stanica’s notation and generalize the definition of rotation symmetric 
Boolean functions from [11, p. 121]. 

Let {xi,X 2 , ■.. ,Xn) e V„. For 1 < K < n we define 


, \xi+K if i+K<n, 

P„ = < 

[xi+K-n if l+K>n, 

which naturally extends to vectors. 

Definition 3.44. A generalized Boolean function / is rotation symmetric (RotS) if and only 
if for any (jci,jc 2 , ..., G V„, 

f{Pn{Xh---,Xn))=f{xi,...,X„), 


for any I <K <n. 

Definition 3.45. [19, p. 88] A linear code is called cyclic if whenever 

(cq, Cl,. .., C^_2, 1) (3.4) 


is a codeword, then so too is 

(ci, C2, ■ ■ ■, c/;_i, Co) (3.5) 

(that is, codewords are invariant under cyclic rotations). 

Definition 3.46. [19, p. 88] An orthogonal array O, denoted ^A{m, n, 2, t), is cyclic if it is 
linear and whenever (3.4) is a row vector in O, then (3.5) is a row vector in O. 
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As is customary in coding theory, we concisely represent a set of cyclic vectors using 
a single vector in angled brackets. Let x = {xi,X 2 ,...,Xn), then for K = 1 to n, (x) = 
p^{x\,X 2 ,...,Xn). For example: (0001) = {1000,0100,0010,0001}. Additionally, given a 
vector X e V„, we define its cyclic period, px, where 1 < Px < as px = | (x) |. 

Definition 3.47. A partition of V„ which remains invariant under the set of column rota¬ 
tions p*(x;), 1 < k < n, is called a rotation symmetric partition. 


Several of the previously discussed linear codes and linear orthogonal arrays were cyclic. 
Our new construction of RotS and Cl{t) generalized Boolean functions relies upon cyclic 
orthogonal arrays. To highlight our approach, we revisit a familiar orthogonal array. 


Example 3.48. Suppose we wish to construct a and C/(l) generalized Boolean func¬ 
tion / e We begin again with the linear orthogonal array Oq = 04(2,4,2,1). As 

seen in Example 3.28, this orthogonal array is symmetric and thus must also be RotS. As 
before, we list Oq along with its 7 cosets: 


Oo = 


04 = 


0 0 0 0 
1111 , 

10 0 0 
0 111 , 


Oi = 


05 = 


0 0 0 1 
1110 , 

0 0 11 
110 0 , 


02 = 


0 0 10 
110 1 , 


0 (,= 


0 10 1 
10 10 , 


03 = 


0 10 0 
10 11 , 


O'] = 


10 0 1 
0 110 . 


In order for / to be both RotS and C/(l), we must first be able to partition V„ is such a way 
that 

1. Each subset of the partition forms an orthogonal array, and 

2. The partition must be rotation symmetric. 

The first task is accomplished using the previously outlined partitioning technique which 
employs a linear orthogonal array along with its cosets, each of which are orthogonal arrays 
in their own right. However, in order to satisfy the second requirement, we select as our 
starting point a cyclic orthogonal array. Moreover, once the cosets have been formed, we 
group them in such a way as to ensure that each group of orthogonal arrays contains all 
vectors, x G V 4 from the same cyclic class, (x). Having done so, we then map all vectors 
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within each group to the same output value, Given that 


( 0001 ) = { 0001 , 0010 , 0100 , 1000 } ( 0011 ) = ( 0011 , 0110 , 1100 , 1001 } 

( 1110 ) = { 1110 , 1101 , 1011 , 0111 } ( 0101 ) = { 0101 , 1010 }, 

we can for example achieve our goal using the following mapping: 


{Oq —)■ 0, {01,02, ^> 3 , 04 } —)■ 1, Og —)■ 3, { 05 , 07 } —)■ 2 }. 


Doing so produces the RotS and C/(l) generalized Boolean function in Table 3.10 
Table 3.10: A RotS and C/(l) generalized Boolean function f 


V 4 

/ 

0000 

0 

0001 

1 

0010 

1 

0011 

2 

0100 

1 

0101 

3 

0110 

2 

0111 

1 

1000 

1 

1001 

2 

1010 

3 

1011 

1 

1100 

2 

1101 

1 

1110 

1 

nil 

0 
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Algorithm 5 RotS and CI{t) generalized Boolean function construction 

1: Select a cyclic linear orthogonal array Oq = OA{m,n,2,t), where m = 2^ and n> t. 

2: Store row vectors of to array V. 

3: Create an array of arrays, P. 

4: Create two arrays F and 7. 

5: Store 1 in 7. 

6: for ;■ = 1 to 2" — 1 do 

7: X = ;2 

8 ; if X ^ y and x ^ P then 
9; Construct set of cyclic vectors (x). 

10: Compute px = I (x) I . 

11 : Store (Px, (x) ) to P. 

12: end if 

13: i + + 

14: end for 

15: Sort P such that (Px, { x)) tuples appear in ascending order with respect to Px- 
16l for y = 0 to length.P{outer) — 1 do 
17 : cnt — 0 

18 ; for — 1 to P[y] [0] — 1 do 

19: if p[y][^] ^ y then 

20: for h — Otom—l do 

21: vi, = V[h]®P[j][k] 

22: Store v/j to V 

23: end for 

24: + + 

25: end if 

26: /: + + 

27: end for 

28: store cnr to/. 

29: y + + 

30: end for 

31: Set q ^ length.1 

32: Create set — {0, y “ 1} 

33: started 

34: end ^ m — 1 

35 : for / = 0 to ^ — 1 do 

36: Select an output value c, G Z^. 

37: for/: = start to end do 

38: Store (y[i:],c,) toP. 

39: end for 

40: Start -ir- end + 1 

41: endend-t-I[i] ■ m 

42: end for 

43: Sort tuples of F such that input vectors appear in lexicographic order. 
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Proof of Correctness of RotS and CI{t) Generalized Boolean Function Construction: 

Suppose we wish to eonstruet a RotS and CI{t) generalized Boolean funetion / e 
using Algorithm 5. As was the ease with Algorithm 4, we begin by seleeting a suit¬ 
able linear orthogonal array. In this ease, however, we stipulate that the orthogonal array 
Oo = OA{2^ (n > i), must also be eyelie. To ensure the funetion is eorrelation im¬ 
mune, Algorithm 5 retains the general approaeh of partitioning V„ using Oq along with 
its eosets, all of whieh also are orthogonal arrays. However, in order to also aehieve rota¬ 
tion symmetry, the way in whieh we go about ereating and grouping these eosets has been 
slightly modified. For eaeh veetor x e V„ \ Oq, we eonstruet the set of veetors, (x) . For eaeh 
unique eyelie elass,(x), we eompute its assoeiated period, px = |(x)| and store (px, (x)) to 
an array of arrays, P. Onee this task has been aeeomplished, we sort the tuples of P sueh 
that the px values appear in inereasing order. Using veetors in P, Algorithm 5 then forms 
the 2"“^ — 1 eosets of Oq in the familiar manner. Oq is a simple linear orthogonal array and 
its row veetors form a subgroup of Using Oq along with its eosets, the algorithm there¬ 
fore ereates a partition of V„. Eaeh eoset within the partition is unique and in aeeordanee 
with Lemma 3.10, also is an C)A(m,n,2, t) orthogonal array. There is however, no guaran¬ 
tee that the eosets are eyelie. Consequently, in order to ensure that eosets whieh eontain 
veetors belonging to the same eyelie elass get grouped together, the algorithm sueeessively 
builds eosets using the veetors within the same eyelie elasses in P, and keeps traek of the 
membership boundaries of the veetors within groupings of eosets using the index array 7. 
To demonstrate that this method of grouping orthogonal arrays produees a rotation sym- 
metrie partition of V„, we argue as follows: Oq is a eyelie orthogonal array, henee for every 
row veetor y G Oq, Oq eontains the set (y) of every veetor whieh is a eyelie rotation of y. 
Seleet a veetor x sueh that x G V„ \ Oq, and form the eyelie set (x), eontaining all possible 
veetors whieh are eyelie rotations of x. Let z = y © x. Suppose that for some k, where 
I < K <n, there exist a eyelie rotation sueh that p^(z) ^ B, where B is the set defined 
as B = {y©x|y G (y),x G (x)}. p„^(z) =p^(y©x) = p„^(y) ©p„^(x). Therefore, in order 
for p^(z) ^ B it would imply that either P;f(y) ^ (y) or p^f (x) ^ (x), neither of whieh by 
definition are possible. We therefore eonelude that the set of veetors B is eyelie. Given the 
faet that Oq is a subgroup of V„, it elearly must eontain a minimum of two eyelie elasses, 
namely (0), as well as at least one additional elass (y), where y G Oq- However, the way 
in whieh we eonstruet the eosets guarantees that the veetors from all eyelie elasses in Oq 
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are added to all the vectors in the cyclic class (x) . Moreover, since Oq contains the identity 
element 0 we can be assured that each vector within a given cyclic class (x) will appear in 
a coset of Oq . 

Remark 3.49. In order to avoid constructing duplicate orthogonal arrays, the algorithm 
takes care to check after each iteration whether or not the next vector in the generating 
set (x) occurred in the previously constructed coset. For example. If Oq = {0000,1111} 
and we were using the set (0101) = (0101,1010} to form a set of cyclic cosets of Oq , the 
first coset constructed (using 0101) would be (0101,1010}. However, the second vector 
1010 G (0101) already appeared in the coset produced, therefore the algorithm would not 
use it again, but rather skip it, determine that the set ( 0101 ) had been exhausted, and write 
the index of the last vector in the set of cosets to the index array, 7, before proceeding to 
the next array element in P. 

Algorithm 5 terminates once the number of vectors in the set V is 2". At this point it will 
contain 2"“^ orthogonal arrays and be a partition of V„. The index array 7 keeps track of 
how many cosets each cyclic class (x) produces, thus enabling the required grouping of 
orthogonal arrays. By counting the number of elements in 7, the algorithm determines the 
number of distinct functional output values, q, achievable in the construction. By subse¬ 
quently assigning the same output value, c, G for z = 0 to <7 — 1, to every vector within a 
set of orthogonal arrays, the algorithm not only ensures the function is correlation immune 
(order t), but that it also is rotation symmetric. 

Example 3.50. Suppose we wish to construct a RotS and C7(2) generalized Boolean func¬ 
tion / G We first select the cyclic (M( 8 ,7,2,2) linear orthogonal array: 

0000000 
1011100 
0101110 
^ _ 0 0 1 0 1 1 1 
" 1001011 

1100101 
1110010 
0111001. 

The Algorithm begins by storing the row vectors of Oq to the array V. It initializes an array 
of arrays P and initializing an array 7 with the value 1. For each vectors x G V7 \ Oq , the 
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algorithm checks that x ^ P, then constructs the cyclic set of vectors (x). It subsequently 
computes the period Px = |(x)| and stores (/k, {(x)}) to P. Once all cyclic sets of vectors 
that are not in Oq have been constructed and stored in P along with their associated periods, 
the algorithm will begin to use the vectors within these cyclic classes to construct the cosets 
of Oq . Since in this example n is prime, all vectors in V 7 are either period 1 or period 7. For 
any orthogonal array, there are only two period 1 vectors, namely 0 and 1. The 0 vector is 
the additive identity in G = (V 7 , ©), and thus must be in Oq given the fact that Oq is a linear 
orthogonal array and Oq < G. However, as luck would have it, 1 is not in Oq . This means 
that the first entry in P will be (1, {111111111111111}) and the first set of cyclic cosets 
which Algorithm 5 constructs will only include the following cyclic orthogonal array: 

111111 1 

010001 1 

101000 1 
^ _ 1 1 0 1 0 0 0 
^ 0110100 

001101 0 
000110 1 
1000110. 

Once the last of these vectors has been added to the set V, the set of generating vectors 
within this entry of P have been exhausted. The algorithm will then store the number of 
cosets which were created, in this case 1 , to the index array /, before moving on to the next 
entry in F, which is: 

(7,(0000001,1000000,0100000,0010000,0001000,0000100,0000010}). 

Using these vectors, the algorithm in turn constructs and stores the following seven cosets 
toV: 


02 = 


000000 1 
1011101 
010111 1 
0010110 
100101 0 
1100100 
111001 1 
0111000, 


03 = 


1000000 
0011100 
1101110 
101011 1 
000101 1 
010010 1 
0110010 
1111001, 


04 = 


0 1 0 0 0 0 0 

111110 0 
0 0 0 1 1 1 0 

0 110 111 
110 10 1 1 
1 0 0 0 1 0 1 

10 10 0 10 
0 0 1 1 0 0 1 , 


05 = 


0 0 1 0 0 0 0 

10 0 110 0 
0 111110 
0 0 0 0 1 1 1 

10 110 1 1 
1110 10 1 
1 1 0 0 0 1 0 

0 10 10 0 1 , 
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06 = 


0 0 0 1 0 0 
10 10 10 
0 10 0 11 
0 0 1111 
1 0 0 0 0 1 
110 110 
11110 1 
0 110 0 0 


0 

0 

0 

1 

1 

1 

0 

1 , 


On = 


0 0 0 0 1 0 0 

10 110 0 0 
0 10 10 10 
0 0 1 0 0 1 1 

10 0 111 1 
1 1 0 0 0 0 1 

1110 110 
0 11110 1, 


08 = 


0 0 0 0 0 1 0 

10 11110 
0 10 110 0 
0 0 10 10 1 
1 0 0 1 0 0 1 

110 0 11 1 
1 1 1 0 0 0 0 

0 1110 11 . 


Once this is done, the algorithm will save the value 7 to / and then move to the next entry 
in P, which happens to be: 


(7,{0000011,1000001,1100000,0110000,0011000,0001100,0000110}). 


Using this set of vectors, the algorithm produces the final seven cosets: 


09 = 


0 0 0 0 0 1 1 

10 1111 1 
0 10 110 1 
0 0 10 10 0 
1 0 0 1 0 0 0 

110 0 110 
1 1 1 0 0 0 1 

0 1110 10 , 


Oio = 


1 0 0 0 0 0 
0 0 1110 
110 111 
10 10 11 
0 0 0 1 0 1 
0 10 0 10 
0 110 0 1 
11110 0 


1 

1 

1 



0 

1 

0, 


1 1 0 0 0 0 
0 11110 
10 0 111 
1110 11 
0 10 10 1 
0 0 0 0 1 0 
0 0 1 0 0 1 
10 110 0 


On = 


0 1 1 0 0 0 0 

110 110 0 
0 0 11110 
0 10 0 11 1 
11110 1 1 
10 10 10 1 
1 0 0 0 0 1 0 

0 0 0 1 0 0 1 , 


Oi3 = 


0 0 110 0 
1 0 0 0 1 0 
0 110 11 
0 0 0 1 1 1 
10 10 0 1 
111110 
110 10 1 
0 1 0 0 0 0 


0 

0 

0 

; 0i4= 

1 

0 

1 , 


0 0 0 1 1 0 
10 10 0 0 
0 1 0 0 0 1 
0 0 1 10 1 
1 0 0 0 1 1 
110 10 0 
111111 
0 110 10 


0 

0 

0 



1 

0 

1 , 


0 0 0 0 1 1 0 

10 110 10 
0 10 10 0 0 
0 0 1 0 0 0 1 

10 0 110 1 
1 1 0 0 0 1 1 

1110 10 0 
0111111 . 


Once these cosets have been saved to V, the algorithm stores the value 7 to /. Having stored 
all 2^ vectors to V, the loop that builds cosets terminates. Using the array /, the algorithm 
then determines the number of sets, q, into which the orthogonal arrays were grouped. For 
each of these groups, it chooses a value from c/ G Z^, / = 0 to ^ — 1. Using / it computes 
the start and end boundries for each group of vectors and for k = start to end within each 
group it saves (V[fc], c/) to a function array F. Due to the considerable size of the function, 
we omit, in the interest of space, a complete table of input and output values and represent 
instead the mapping created by the algorithm: 
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{Oq -^Co,Oi -)-Ci,{6>2,---,08} -)-C2,{09,---,0i5} -)■ C3}, 


that guarantees that our function is both RotS and Cl(2). 

Lemma 3.51. Given a cyclic linear orthogonal array O = ^4(2"^^ n, 2, t), the remaining 
set of vectors Yn\0 also forms a cyclic orthogonal array, O = (M(2”~\ n, 2, t). 

Proof The proof uses an argument similar to the one found in Lemma 3.25. Let Oq be a 
cyclic linear orthogonal array (M(2""\n, 2,t). Since Oq is a linear orthogonal array, the 
row vectors of Oq form an order 2"^^ abelian subgroup of V„ under ©. Select a vector 
a G Vm not present in Oq and add it in turn to each row vector in Oq thereby forming 
the coset, Oi, to Oq. Then OqUOi = V„ and according to Lemma 3.10, Oi is also a 
OA(2"^^,n,2,t) orthogonal array. Since Oq is cyclic, for all row vectors x G Oq, (x) C Oo- 
Thus, for all remaining row vectors y G V„ \ Oq it must be the case that (y) C V„ \ Oq, 
proving that Oi also is a cyclic OA (2"^ ^,n,2,t) orthogonal array. ■ 

Theorem 3.52. Let Oq = ^A{2^,p,2,t) be a cyclic linear orthogonal array, where p is 
prime and p > l+\. Ifl^ Oq, then it is always possible, using Algorithm 5, to create a 
RotS and CI{t) generalized Boolean function, f G where q is at least 3. 


Proof Oq is a linear orthogonal array, so it along with its cosets will partition Vp into 
2P-^ > 4 orthogonal arrays of strength t. Since Oq is cyclic, 1 is a period 1 vector, and 
1 ^ Oqj we can form the cyclic coset Oi using 1. Although the remaining 2P~^ — 2 cosets 
may not be cyclic, by assigning distinct output values c/ G Z 3 for / = 0 to 2 such that: 

{Oq —)■ Co, Oi —)■ Cl, {O 2 ,..., 02P-i^i} —)■ C 2 }, 

we produce a RotS and CI{t) generalized Boolean function / G ^SS^p. In the event there 
exist 5 additional cyclic cosets in the set {O 2 , • • •, 02 P-i^i}, then we can construct a RotS 
and CI{t) generalized Boolean function / G where q<3-\-s. ■ 

Definition 3.53. We adopt Cusick and Stanica’s notion from [11, p. 113] and denote gn as 
the cardinality of the partition of into cyclic classes. 
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Cusick and Stanica provide the following formulae for in Theorem 5.68 and Corollary 
5.69 of [11, p. 127]. We make use of these result in subsequent theorems and thus include 
their result here, albeit without proof. The interested reader may refer to their cited work 
as well as [45] and [46] for proofs and further discourse on the stated results. 

Theorem 3.54. [11, p. 127] 

x\n 

where ^(t) is Euler’s phi-function. 

If n = p, p prime, it possible to obtain a simpler expression. In this case, 

T\n ^ 

Lemma 3.55. The number of possible RotS generalized Boolean functions in ^ is at 
most g{ny^'^\ 

Proof. In order to construct a RotS generalized Boolean function, we partition V„ into 
cyclic classes, of which there are g{n). All vectors within each cyclic class is mapped to 
the same output in For each partition there are q choices for the output values. Thus, 
all told there are possible functions. Since q < g{n). The result is established. ■ 

Lemma 3.56. If a linear orthogonal array of the form OA(2,p,2, 1), where p is an odd 
prime, is used to construct a cyclic partition ofYp containing 2^^^ orthogonal arrays, 
then the maximum obtainable number of subsets is 1 + 


Proof. Since p is prime, each vector in Yp is either period 1 or period p, and Theorem 3.54 

'yp _ 'y 

tells us that there will be a total of 2+ cyclic classes. The construction requires that 
each orthogonal arrays consists of two vectors x G Vp and its complement x. Each cyclic 
class of vectors (x) is therefore grouped with (x), thus causing the total number of subsets 
in the partition to be: 


2 +- 


2P-2 


/2 = 1 + 


2P-1 _ 1 
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Theorem 3.57. The number of possible RotS and C/(l) generalized Boolean functions, 
f G ^ < 1 + constructed using a linear orthogonal array of the form 

OA(2,p, 2,1), where p is an odd prime is: 


1 + - 


2P-1-1N 1+ 




Proof Observe that for all p, the number of orthogonal arrays, 2^^^, in the partition is 
strietly greater that 1 + . By applying Lemmas 3.55 and 3.56 the result immediately 

follows. ■ 

Remark 3.58. A surprising eonsequenee of Conjeeture 2.26 should it prove to be true, is 
that balaneed and symmetrie generalized Boolean funetions, where <? > 2, do not exist. 
This however, is not the ease with balaneed and RotS generalized Boolean funetions. 

Example 3.59. Consider eonstrueting a 4-variable RotS generalized Boolean funetion. We 
partition V 4 into its 6 eyelie elasses: ( 0000 ), ( 1111 ), ( 0101 ), ( 0001 ), ( 0011 ), ( 0111 ), 
of respeetive periods 1,1,2,4,4,4. Therefore, by mapping the elasses of input veetors to 
output values in Z 4 in the following manner, we ereate a balaneed RotS generalized Boolean 
funetion / G 

{{(0000), (1111), (0101)} ^ CO, (0001) ^ Cl, (0011) ^C2, (0111) ^C3}, 

where c/, with z = 0 to 3, are distinet values in Z 4 . 

Lemma 3.60. For an odd prime p and k>2, it is not possible to partition Yp into k equally 
sized cyclic subsets. 


Proof Sinee p is prime, the only possible periods for veetors in Yp are 1 or p. The only 
two period 1 veetors in Yp are 0 and 1. All remaining veetors have period p. We wish 
to partition Yp into k subsets, eaeh of whieh is eyelie. All veetors within a given eyelie 
elass must therefore be eontained in the same subset. However, sinee k>2 and p is an odd 
prime, there is no way in whieh to distribute 0 and 1 among the k subsets whieh will ensure 
they all are of equal eardinality. ■ 
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Theorem 3.61. There are no balanced and RotS generalized Boolean functions f G ^^‘p, 
for odd prime, p, and q >2. 

Proof The result is an immediate consequence of Lemma 3.60. ■ 
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CHAPTER 4: 

Avalanche Criteria for Generalized Boolean Functions 


War is the realm of uneertainty. 
Information is the resolution of 
uneertainty. Cryptology is the gateway 
between these entropy states. 

Carl von Clausewitz, Claude Shannon, 
and yours truly 


4.1 Introduction 

It is important that functions that are used in eryptographie applieations are resistant to 
attaeks involving the use of knowledge of the input to infer anything about the output. In 
the preeeding ehapter we examined correlation immunity properties of generalized Boolean 
funetions. We will now explore the so-ealled “avalanche effeet” whereby a small ehange 
in the input of a function results in a large, but in some sense uniform, change to the output 
of the funetion. Such a condition, now referred to as the striet avalanehe eriterion was first 
defined by Webster and Tavares [50] in their researeh on designing good Substitution boxes 
(S-boxes). This area of researeh is of particular relevance to generalized Boolean funetions 
as well, in part due to their potential use as eomponents in look-up tables and S-boxes of 
future eryptographie systems. 


Definition 4.1. [11, p. 31] A Boolean funetion /(x) in n variables is said to satisfy the 
strict avalanche criterion (SAC) if changing any one of the n bits in the input veetor x 
ehanges the output of the funetion for exaetly half of the 2”^^ possible input veetors, x. 
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4.2 A Strict Avalanche Criterion Construction for Boolean 
Functions 

Given the faet that we will be examining input veetors whieh differ by a single bit along 
with their assoeiated funetional output values, it is very natural to make use of hypereubes. 
The idea of enlisting the aid of hypereubes in the study of SAC funetions is admittedly not 
original. It was first adopted by Biss in 1998 [1], albeit with a eombinatorial approaeh and 
not the graph theoretie point of view whieh we adopt here. 

Definition 4.2. [9, p.25] A hypereube of dimension n, denoted Hn, is the graph whose 
vertex set is the set of n long binary veetors x G ¥„ and where two vertiees are adjaeent in 
the graph if they differ by exaetly one bit. 

Example 4.3. Below we depiet the hypereubes, H\ and H 2 . Notiee that adjaeent vertiees 
within eaeh graph differ by one bit: 


1 11 01 



There is a simple reeursive method by whieh hypereubes ean be built. H 2 is obtained by 
taking two eopies of Hi and eonneeting the eorresponding (similarly labeled) vertiees in 
both graphs. The vertex labels are then updated as follows: In the first eopy of Hi, append 
0 to the front of eaeh veetor x, thereby obtaining the new label ,”0x”. For the seeond eopy 
of Hi append 1 to the front of eaeh veetor, thus produeing the new veetor ’Tx”. 

We represent a Boolean funetion / G using the n-dimensional hypereube Hn = (V„, E), 
where V„ is the vertex set and E is the edge set of the graph. Denote e = {xj,x/,} as an 
edge in the graph, where Xj, x/, G V„ are distinet vertiees in //„. We label eaeh vertex x G V„ 
with the tuple (x,/(x)), where /(x) G F 2 . For eaeh edge e G E, we label e with the value 
1 if /(xj) = f{xh) and with 0 otherwise. 

Example 4.4. Adopting this approaeh we represent the below Boolean funetion / G ^2 
using the depieted labeled graph H 2 : 
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0 


V2 / 


11,1 


Labeled H 2 : 


10,1 



01,0 


00,0 


00 0 
01 0 

10 1 

11 1 


Having established a graph-theoretic frame of reference from which to work, we first con¬ 
sider the conditions under which our labeled hypercube will satisfy the SAC feature for 
Boolean functions. All vertices differing by exactly one bit in Hn are connected by an 
edge. Moreover, should any pair of such vertices agree with respect to their output values, 
the edge between them is labeled with a value of 1. Given the fact that the total number of 
edges in a hypercube is it is clear that under this Boolean function model paradigm, 

a Boolean function will be SAC if and only if the sum of the edge set labels of its associated 
graph Hn equals We refer to labeled hypercubes which satisfy this requirement as 

SAC hypercubes. 

When attempting to construct SAC Boolean functions, one can use the fact that hypercubes 
can be constructed recursively to one’s advantage. By utilizing two appropriately chosen 
SAC hypercubes H„ i, which once connected will have 2"^^ newly formed edges la¬ 
beled with I’s, (in other words, half of 1 and / 4 , 2 ’s corresponding vertices agree with 
respect to their output values), the newly formed hypercube / 4+1 will also be SAC. In order 
to be in a position to carry out such constructions, we must first analyze and derive the SAC 
hypercube "base case" if you will. We do so by contemplating how the vertices of these 
graphs can be labeled with output values in order to obtain the requisite edge label sum. 
Considering first Hi, we see that there clearly is no way in which this can be accomplished, 
since it only contains one edge. Turning our attention to H 2 , we consider the number of 
different ways this labeling can be carried out. 

Theorem 4.5. There are 12 possible SAC labelings of the 2 dimensional hypercube. 

Proof. Without loss of generality, we choose to begin labeling at the lower right vertex 
and proceed counter-clockwise around H 2 . Given the vertex labeling vector y = yiy 2 y 2 ,yA, 
where z = 1 to 4 and yt G F 2 , the labeling scheme will thus be as follows: 
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For « > 2, we will use the Hn label veetor w = y||z, where y and z are labeling veetors for 
hypereubes Hn i. 


There are a total of Lf=o (t) = 16 possible veetors y, whieh we represent using the fol¬ 
lowing eyelie elasses: 

( 0000 )={ 0000 } 

( 0001 ) = ( 0001 , 0010 , 0100 , 1000 } 

( 0011 ) = { 0011 , 0110 , 1100 , 1001 } 

( 1110 ) = { 1110 , 1101 , 1011 , 0111 } 

( 0101 ) = { 0101 , 1010 } 

{ 1111 ) = { 1111 }. 

To determine whether a labeling satisfies our requirements, we evaluate y as follows: 

n 

where 

{ yi+i if i+l<n, 
yi+i^n if i+l>n. 

If this sum equals 2, then y is aceeptable, otherwise it is not. Among the possible labelings, 
0000 and 1111 will of eourse not work, and neither will the labelings from the set (0101). 
The remaining 12 labelings represented here by their eyelie elasses (0001), (0011), and 
(1110) all satisfy the requirement we seek. Hence, any one of them when applied to H 2 
will produce a SAC hypercube of dimension 2, and thus also represent a SAC 2-variable 
Boolean function. ■ 


Remark 4.6. Using the labeling y = 0011 produces the SAC hypercube H 2 and associated 
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Boolean function depicted in Example 4.4. 


As previously suggested, we can use two appropriately chosen 2-dimensional SAC hyper¬ 
cubes to construct a 3-dimensional SAC hypercube. In order to ease the selection task we 
demonstrate a quick verification procedure which takes advantage of our consistent labeling 
scheme. Let yi and y 2 be two of the 12 SAC labeling schemes for H 2 . In order to determine 
whether or not they, once connected, will produce a 3-dimensional SAC hypercube, we eval¬ 
uate the two vectors using the following label comparator function, /(yi, y 2 ) = wt(yi ©y 2 ). 
The function compares label values at corresponding indices using XOR. Hence similar 
values fail to contribute anything to the Hamming weight of the resultant vector whereas 
dissimilar label values add 1. Consequently, if in our case /(yi,y 2 ) = 2 (namely half of 
the vertices), then given the fact that each of the original H 2 hypercubes were at the onset 
SAC, one can be assured that the sum of the edge-set labels for the resultant 3-dimensional 
hypercube Ht, will achieve the requisite 2”"^n value and thus satisfy the strict avalanche 
criterion. 

Theorem 4.7. There are a total of 56 labeled SAC 3-dimensional hypercubes with SAC 
labeled H 2 subgraphs. 

Proof. According to Theorem 4.5, there are 12 2-dimensional SAC labeled hypercubes. 
Each of these has two edges labeled with I’s (and 2 with O’s). Moreover, we know that 
in order for the labeled hypercube to be SAC, 6 of its 12 edges must also be labeled 
with I’s. Therefore when connecting the two H 2 hypercubes, we must ensure that 2 of their 
4 corresponding vertices agree with respect to their output labels. Using the previously 
described comparator function, /(yi,y 2 ) = wt{yi ©y 2 ), we could of course exhaustively 
evaluate the relatively small set of label vectors to obtain the stated result. However, we 
choose instead to arrive at the answer using a counting argument. We evaluate in turn 
each of the three cyclic classes, (0001), (0011) and (1110). Beginning with (0001) we 
consider the possible vector pairings which, when added modulo 2, will produce a vector 
of weight 2. Let y = 0001. Since y is of Hamming weight 1, wt(y © p'^(y)) = 2 for 
K = 1 to 3. There are 4 vectors in (0001) for which this works, so there are 4 ■ 3 = 12 
such possible pairings. Adding a Hamming-weight-2 vector to a Hamming-weight-1 vector 
always produces a vector of Hamming weight 1 or 3, so we may readily disregard this 
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possibility. Let z = 1110. Then wt(y © p'^(z)) = 2, for K = 1 to 3. As before, there are 4 
vectors in (0001) for which this works, so there 4-3 = 12 such possible pairings. Observe 
that y = 1110, so the analysis is identical for this cyclic class. Finally we consider (0011). 
Adding two Hamming weight 2 vectors together produces either a Hamming weight 0, 2 
or 4 vector. The first and last stated possibilities can each only happen once, so among the 
4 possible shifts of 0011, it must be the case that the middle condition occurs twice. Thus 
there are 4 ■ 2 = 8 such possible pairings. Having exhausted all possibilities within the 3 
cyclic classes, we tally the possible pairings which yields 2(12 + 12) + 8 = 56. ■ 


Remark 4.8. The discourse above highlights a useful SAC construction strategy. Select 
a vector, y, from any of the three cyclic classes (0001), (0011) or (1110). If wt{y) = 1 
or wt(y) = 3, then y along with a cyclic shift, p'^(y), for K = 1 to 3, will always ensure 
wt(y © p'^(y)) = 2. If wt{y) = 2, then any odd shift (k = I or K = 3) will result in wt{y © 
P"(y))=2. 


Example 4.9. Suppose we wish to construct a Boolean function f e ^3 which satisfies 
the strict avalanche criterion. We begin by first selecting two H 2 labelings y = 0011 and 
z = 1001. Before proceeding, we confirm that ELoy' Ai+i = 2 and '^i+i = 2. Once 

complete, we then verify that, once connected, the two y and z labeled H 2 hypercubes will 
produce a SAC H 3 labeled hypercube. Given the fact that 

/(y,z) =wt( 0011 © 1001 ) =wt( 1010 ) = 2 , 

we can be assured that this will indeed be the case. We thus proceed to construct the 3- 
dimensional hypercube H 3 in the standard manner. Doing so, the vertex labels for each H 2 
component are augmented with a 0 or 1 in the previously described manner, however, the 
associated vertex output values for each copy of H 2 remains unchanged. Doing so produces 
the following graph and associated function truth table: 
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0 


V3 / 


011,1 


SAC H 3 : 1 


010,1 



001,0 


000,0 


000 0 
001 0 
010 1 
on 1 

100 1 

101 0 
no 1 
111 0 


Having demonstrated the eonstruetion teehnique, we eodify this SAC Boolean funetion 
eonstruetion in the following algorithm: 


Algorithm 6 SAC Boolean funetion eonstruetion 

1 ; Given two SAC H„-i binary output labeling vectors y and z, store them as arrays Y and Z. 
2: m n — 1 

3: YLength ^2"' 

4: Edge 0 

5 : Initialize two arrays W and F of length 2YLength. 

6: for i = 0 to YLength — 1 do 

7 : if 7 [('] == Z[i] then 

8; Edge + + 

9: end if 

10; end for 

11: it Edge = 2"'- Ahen 
12: for i = 1 to YLength do 

13: if i = 3 (mod 4) then 

14; W[i-l\^Y[i\ 

15 : W[i\^Y[i-l] 

16: W[YLength + i - 1] ^ Z[i] 

17; W[YLength-i-i]Z[i — 1] 

18 : else 

19; w[i-i]^Y[i-i] 

20 ; W[YLength + i-\\^Z[i-\\ 

21: end if 

22: end for 

23 : else 

24; Return: "Error! The vectors will not produce a SAC function." 

25 ; end if 

26; for ;' = 0 to 2YLength — 1 do 

27 : F[j]^U2,W[J]) 

28 : end for 
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Proof of Correctness of the SAC Boolean Function Construction: 

The algorithm accepts two binary output labeling vectors x and y for two hypercubes of 
dimension m = n — I, storing them in the arrays Y and Z. Since each of these labelings 
produces a SAC labeled hypercube, we know that each of these hypercubes must contain 
— 1) 1-labeled edges. There will be a total of 2""^ new edges formed once the 
two hypercubes are connected. Therefore, if half of the corresponding labeled vertices 
in each hypercube agree with respect to their output values (labels), then new edges 
will be labeled with l'^. The total number of 1-labeled edges in the resultant n-dimension 
hypercube will therefore be 

2 -2’^~\n-l)+2’^~^ = 2"~^{n-I+ l) = 2’^-\=^^^. 

This is exactly half of the total number of edges of the newly-formed hypercube. We there¬ 
fore conclude that it, along with its corresponding function / G A§n, rnust be SAC. Thus, 
the task at hand is to ensure that exactly half of the corresponding vertex labels in Y and Z 
agree. This check is carried out in steps 6 to 10 of the algorithm. For / = 0 to YLength — 1 
the algorithm compares array elements T[z] and Z[z] and increments the Edge counter if the 
values match. If Edge = 2"*^^ the construction will succeed and the algorithm proceeds 
to build the function truth table. The adopted labeling schemes, discussed in Theorem 4.5, 
stores the vector labels in Y and Z as counterclockwise 4-cycles of EI 2 planes, so before 
doing so, it is necessary to store the output values (labels) in lexicographic order in an ar¬ 
ray W. This procedure is accomplished in steps 12 to 22 of the algorithm. Finally, using 
W , and for 7 = 0 to 2” — 1, the algorithm populates the truth table array E with tuples, 
{j 2 ,W[j]), of binary input vectors and ^-ary output values. 

Remark 4.10. The similarity between the Siegenthaler correlation immunity construction 
outlined in Theorem 3.35 and the SAC hypercube construction from Algorithm 6 should 
not be lost on the reader. The SAC construction not only uses two graphs (functions) of 
dimension n — 1 to create a graph (function) of dimension n, but like Siegenthaler’s it also 
requires that the frequency of the two output values 0 and 1 agree between the dimension 
n — 1 subgraphs. 

Example 4.11. Suppose we wish to construct a SAC and C/(l) Boolean function / G ,^ 3 . 
We begin by selecting two H 2 labeling vectors y = 0001 and z = 0100. 
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Nota bene: The reader is cautioned that, unlike in the case of lexicographic ordering, our 
labeling scheme reverses the order of 10 and 11. Therefore, although by inspection y||z 
does not (based on symmetry) immediately appear to be C/(l), it in fact is. 

As in the previous example, we confirm that Az+i ^^d '£'i=oZi-Zi+i both equal 2 and 

that /(y,z) = wt(0001 ©0100) = wt(OlOl) = 2. Having done so, we then construct the Hi, 
labeled graph below. 



V3 / 
000 0 
001 0 
010 1 
oil 0 
100 0 
101 1 
110 0 
111 0 


Since our construction used y and z, which when taken in concert was C/(l), we were 
not only able to construct a SAC labeled hypercube, but it also turned out to be (order 1) 
correlation immune. Had we instead chosen the vectors u = 0010 and v = 1000, we would 
have produced the following SAC and C/(l) hypercube. 



V3 / 
000 0 
001 0 
010 0 
oil 1 
100 1 
101 0 
110 0 
111 0 


Having these two SAC and C/(l) labeled graphs at our disposal, we demonstrate how 
to go about combining the Siegenthaler construction of Theorem 3.35 and Algorithm 6 to 
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produce a Boolean funetion in 4 variables which is both SAC and C/(l). 

Let /i and /2 be the Boolean funetions eorresponding to and H^^ 2 - Let n = 3 and 
w = y||z and t = u||v. Before merging the two graphs and creating the funetion in n + 1 
variables, f = fi Wfi, we ensure the following hold: 

1. // 3.1 and H 2 , 2 are both of proper dimension and SAC. 

2. wt(w©t) = 

3. For the set of input veetors x G V3, Pr{fi{x) = 0) = Pr{f 2 {x) = 0). 

4. /i and /2 are both C/(l). 

With all of these requirements met, we proceed with the eonstruction and ereate the fol¬ 
lowing labeled hypereube H 4 . along with its assoeiated Boolean funetion truth table: 


SAC&CI{1)H4 : 
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Table 4.1: A SAC and C/(l) Boolean function / G ^4 


V4 

/ 

0000 

0 

0001 

0 

0010 

1 

0011 

0 

0100 

0 

0101 

1 

0110 

0 

0111 

0 

1000 

0 

1001 

0 

1010 

0 

1011 

1 

1100 

1 

1101 

0 

1110 

0 

nil 

0 


4.3 A Probabilistic Strict Avalanche Criterion 

Motivated by the work of Kam and Davika on permutation-substitution networks [22], 
as well as that of Feistel [14], Webster and Tavares first investigated the strict avalanche 
criterion in 1986 in an effort to design S-boxes with desirable cryptographic properties. 
Given the fact that Boolean functions are often employed as components in S-box design, 
there has subsequently been a great deal of research carried out on SAC Boolean functions. 
In this section, we will seek to extend the notion of the strict avalanche criterion to that of 
generalized Boolean functions. Throughout the discourse we continue to build upon the 
graph-theoretic framework previously developed for the Boolean case. 

The strict avalanche criterion requires, in the Boolean case, that each output bit should 
change with probability 1/2 whenever a single bit of a binary input vectors is comple- 
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merited [50]. In the generalized Boolean ease, we modify the eriterion as follows: 

Definition 4.12. A generalized Boolean funetion / G is said to satisfy the probabilis¬ 
tic strict avalanche criterion (PSAC), if ehanging any one of the n bits in an input vector 
xGYfi results in the output of the function remaining invariant with probability l/q. 

Remark 4.13. As previously demonstrated, for each Boolean function, it is possible to 
construct a corresponding labeled hypercube Consequently, given Definition 4.12, a 
generalized Boolean function / G can only be PSAC if q\2'^~^n. In other words, the 
number of edges in the graph must be divisible by q. 


Example 4.14. We motivate this probabilistic notion of SAC using the following example. 
Suppose we wish to construct a PSAC generalized Boolean function / G The first 

task is to verify that the number of edges in Ht,, namely 2^^^3 = 12, is divisible by 3. 
This being the case, we proceed. As with the previous SAC Boolean function construction, 
we base our construction on two, albeit not necessarily PSAC hypercubes, of dimension 
n—\. The function’s output values are now in Z 3 . Suppose the two ternary label vectors 
are y = 0011 and z = 2200. In the case of binary vectors, we had a straightforward method 
of checking the suitability of a given label vector using the sum of the binary product of its 
bits. In the generalized Boolean function case, we utilize the same basic idea. However, 
due to the ^-ary nature of the task at hand, we employ the Kronecker delta function instead. 
Thus, given a vector y = (yi,y 2 , ■ ■ -An), let 


5(y/,y/+i) 


0 if 

1 if yi=yi+\ 


and 

{ yi+i if i+l<n, 
yi+i^n if i+l>n. 

Having previously been given the label vectors y and z, we are now capable of computing 
the number of 1 -labeled edges in each of the respective H 2 graphs, id est 


n 


I^5(y/,y/+i) = 2 

i =0 


and 


n 


= 2 . 

i =0 
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We subsequently need to check the number of newly formed edges which will be 1-labeled 
when the two H 2 graphs are connected. Once again, we need to revise the way in which this 
is accomplished. Rather than using the XOR operation and computing wt(y ©z), as we did 
when dealing with Boolean functions, we again avail ourselves of the Kronecker delta and 
compute instead the sum, Y!i=\ Doing so, we discover that connecting the two H 2 

graphs will not produce any additional 1-labeled edges. Thus, the total number of 1-labeled 
edges in Hj, will be 4. This in turn means that the probability of an edge being 1-labeled, 
and thus neighbor vertices within having the same output label, is 4/12 = 1/3. The 
H 2 labeled subgraphs will therefore produce the desired result. We display the following 
PSAC labeled hypercube Hj, along with its associated function truth table. 



V3 / 
000 0 
001 0 
010 1 
oil 1 

100 2 

101 2 

110 0 

111 0 


Having demonstrated our approach to constructing PSAC generalized Boolean functions, 
we now codify the procedure in Algorithm 7. 


Remark 4.15. Despite being rather long. Algorithm 7 is, at its core, relatively straightfor¬ 
ward. The general approach mirrors that of Example 4.13 and involves using the supplied 
label vectors to count the number of 1-labeled edges within each subgraph (hypercube of 
dimension n — V) along with the number of 1-labeled edges which emerge once the two 
subgraphs are connected. If this number ends up equaling {2"^^n)/q, q being the number 
of different output values (labels) of the generalized function / G then we know that 
according to Definition 4.12, / will satisfy the probabilistic strict avalanche criterion. 
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Algorithm 7 PSAC generalized Boolean function construction 

1: n — l 

2: if 2"'(m+ 1) ^ 0 (mod q) then 

3: Print: "Error! Function parameters not capable of producing a PSAC function." 

4: else 

5; Store two H„-i labeling vectors.y and z as arrays Y and Z. 

6: YLength ^ 2” 

7: Initialize arrays W and F of length 2YLength. 

8: ^Sections Ylength/4 

9: YEdge ^ 0 

10; ZEdge^O 

11: TargetCnt ^ (2"'^^{m+l))/q 

12: for = 0 to ^Sections — 1 do 

13: for y = 41: to 4(1:+ 1) — 1 do 

14; EndIndex = j+\ 

15: if Endindex > 4 then 

16: Endindex = Endindex — A 

17: end if 

18; iiY{j]==Y{endIndex]i\xta 

19; YEdge + + 

20: end if 

21: if Z[ /I == Z\endlndex] then 

22: ZEdge + + 

23: end if 

24: end for 

25: end for 

26: for/r = 0 to m—1 do 

27: Stepsize-v-2^^^ 

28: End^^^^-i 

29: for I: = 0 to Etirf do 

30: for j = (2k)Stepsize to (2k+ \)Stepsize — 1 do 

31; \tY[j]==Y\j + Stepsize]i\iea 

32: YEdge+ + 

33: end if 

34; it zy] == zy + Stepsize] then 

35; ZEdge + + 

36: end if 

37: end for 

38: end for 

39: end for 

40; EdgeCnt = YEdge + ZEdge 

41: ConnectTarget = TargetCnt — EdgeCnt 

42: if EdgeCnt > TargetCnt or ConnectTarget > 2” then 

43; Print: "Error: y and z cannot produce a PSAC function." 

44; else 

45; for ! = 0 to 2'" — 1 do 

46: if F[/] ==Z[!] then 

47: EdgeCnt+ + 

48; end if 

49; end for 

50; end if 

51; if EdgeCnt \ == TargetCnt then 

52: Print: "Error: y and z cannot produce a PSAC function." 

53: end if 

54; for (■ = 1 to YLength do 

55: if / = 3 (mod 4) then 

56: W[i-l\^Y\i\ 


W[t\^Y[i-\\ 
W[Y Length + i 
W\y Length + i] 


-l]^Z[i] 

^Z[/-l] 


W[i-1] y- F[i- 1] 
W[YLength + i — 1] • 

end if 
end for 

for 7 = 0 to 2YLength — Id 

F[j] ^ ij2,wy]) 

end for 
Print: F 
end if 




Proof of Correctness of the PS AC Generalized Boolean Function Construction: 

The first thing the algorithm does, in step 2, is to verify that the number of edges, of 

the resultant graph is divisible by the number of desired number output values (labels), q. 
If this is satisfied, the algorithm then accepts two label vectors y and z, each of length 2""\ 
for the two Hn \ subgraphs and stores them in arrays Y and Z. Following some required 
initialization, the algorithm uses Y and Z and begins to compute the number of 1-labeled 
edges within each labeled H 2 subgraph. Our adopted labeling schemes, discussed in The¬ 
orem 4.5, stores vectors labels as counterclockwise 4-cycles. Consequently, in order to 
begin comparing label values and count corresponding 1 -labeled edges within each vector, 
we must first split the vectors into sub-vectors of length 4 and cyclically check for value 
agreements. This procedure is carried out in steps 12 to 25 of the algorithm. Once this 
has been completed the algorithm then needs to check output value agreement for corre¬ 
sponding vertices residing in different planes of each subgraph. This procedure is 
accomplished in steps 26 to 39. Upon completion of these steps, the algorithm now has 
1-labeled edge counts for both Y and Z which are added together and stored as EdgeCnt. 
EdgeCnt is then subtracted from TargetCnt (the number of 1-labeled edges required in 
order for Hn to be PSAC). This value is stored as ConnectTarget. The algorithm then per¬ 
forms two checks: First, it ensures that EdgeCnt < TargetCnt. Secondly, it verifies that 
ConnectTarget < 2"®, where 2"® is the number of new edges formed once the two n — \ 
dimension hypercubes are connected. If either of these conditions fail, then //„ cannot be 
PSAC and no further computation is needed. If, on the other hand, these conditions are sat¬ 
isfied, the algorithm compares the elements of T[/] and Z[z] and increments EdgeCnt each 
time an agreement is encountered. Thus once complete, the algorithm will have a complete 
tally of the number of 1-labeled edges in the Hn hypercube. By comparing EdgeCnt with 
TargetCnt a final determination can then be made as to whether or not the construction will 
produce a PSAC hypercube of dimension n. If the two values prove to be equal, steps 54 to 
64 of the algorithm then store, in lexicographic order, the output values of Y and Z in the 
array W. Using W, and for 7 = 0 to 2” — 1, the algorithm finally populates the array E with 
tuples, ( 72 , Vk[ 7 ]), of binary input vectors and ^-ary output values. 

Example 4.16. Suppose we wish to construct a generalized Boolean function / G ^^,^4 
which satisfies the probabilistic strict avalanche criterion. The number of edges in H 4 , 
namely 2^~^4 = 32, is divisible by the desired number of output values which is 4, so the 
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algorithm proceeds to accept and store two label vectors for dimension 3 hypercubes from 
which the graph will be constructed. Suppose the label vectors are: y = 00120223 and 
z = 20013022. Y and Z are length 8 vectors, so they will each contain two 4-cycles. The 
algorithm checks for label value agreements within each 4-cycle of the respective vectors, 
saving the number of agreements to YEdge and ZEdge. In this example these both happen 
to be 2. The algorithm then checks for agreements between labels of corresponding vectors 
in different planes of each labeled graph. Adding these agreements to the respective 
counters, the tally then stands at YEdge = 3 and ZEdge = 3. The algorithm then computes 
EdgeCnt = YEdge -\-ZEdge and ConnectTarget = TragetCnt — EdgeCnt. Having done 
so, it verifies that EdgeCnt < TargetCnt and ConnectTarget < 2"^\ where TragetCnt is 
the requisite number of 1-labeled edges in a PS AC quaternary vertex labeled hyper¬ 
cube. If either of these conditions were to fail, the algorithm would terminate. In this 
example however, both checks pass, so the algorithm proceeds and for / = 1 to 8 compares 
array elements Y[i] and Z[i], incrementing EdgeCnt each time an agreement is encountered, 
thus yielding EdgeCnt = 8. The algorithm now compares EdgeCnt to TargetCnt. Since 
TargetCnt = 32/4 = 8, T and Z, do indeed create a PSAC generalized Boolean function. 
Using the array W, the algorithm then saves the output labels of Y and Z in lexicographic 
order and subsequently builds the truth table E of the function. The labeled hypercube 
along with its corresponding function truth table. Table 4.2, follow. 
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Table 4.2: A PSAC generalized Boolean function / G 


V 4 

/ 

0000 

0 

0001 

0 

0010 

2 

0011 

1 

0100 

0 

0101 

2 

0110 

3 

0111 

2 

1000 

2 

1001 

0 

1010 

1 

1011 

0 

1100 

3 

1101 

0 

1110 

2 

nil 

2 


Theorem 4.17. A generalized Boolean function f G can only satisfy the probabilistic 

strict avalanche criterion ifq\2"^^n. 


Proof Let / e be a PSAC generalized Boolean function. Let Hn = (¥„,£’) be the 
labeled hypercube corresponding to /, where V„ and E are the respective vertex and edge 
sets of Hn. Let each vertex x G V„ be labeled with an output from and let A(x) be the 
function which returns the label for x. Moreover, let each edge e = {x,y} G x,y G V„, 
be labeled with a value v G F 2 , such that v = 5(A(x), A(y)), where 5 is the Kronecker 
delta function. By Definition 4.12, in order for / to be PSAC, it must remain invariant with 
probability l/q for the set of 2"^^ possible input vectors. There are a total of 2"^^n edges 
in Hn. Consequently, if / is PSAC, it means that of the edges of Hn must be 

labeled with l'^. This in turn can only occur if q\2'^^^n. ■ 
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4.4 Global and Uniform Avalanche Criteria 

From a probabilistic frame of reference several types of strict avalanche criteria exist. To 
illustrate the concept, consider the following labeled Ht, hypercube which represents a SAC 
Boolean functions / G 



For each vertex in the graph, we compare its label to the set of labels of its neighbor vertices. 
For the benefit of the reader, we split Ht, into subgraphs and omit vertex labels other than 
the one under consideration. 






For each vertex we now compute the probability associated with the label remaining in¬ 
variant as we move from the vertex to its neighbors. The results of these calculations have 
been compiled in Table 4.3. 
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Table 4.3: Vertex invariance probability for a SAC Boolean function 


Vertex 

Prob. Invariance 

Prob. Change 

000 

2/3 

1/3 

001 

2/3 

1/3 

010 

1/3 

2/3 

Oil 

2/3 

1/3 

100 

1/3 

2/3 

101 

2/3 

1/3 

110 

1/3 

2/3 

111 

1 

0 


The hypercube is of dimension 3, and each vertex is thus of degree 3. This in turn means 
that it is impossible to achieve locally balanced invariance and change probabilities at the 
vertex level. However, summing the respective columns of the table one observes that 
across the set of all vertices, the probability of invariance exceeds that of the probability of 
change. From a cryptographic perspective this is an undesirable property! Consider instead 
the following labeled hypercube which also represents a SAC Boolean function / G ^ 3 : 



To aid the reader we again split H 3 into subgraphs: 
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As before we calculate the probability of invariance for each vertex of the graph and display 
the results in Table 4.4. 

Table 4.4: Vertex invariance probability for a globally SAC Boolean function 


Vertex 

Prob. Invariance 

Prob. Change 

000 

2/3 

1/3 

001 

1/3 

2/3 

010 

1/3 

2/3 

Oil 

2/3 

1/3 

100 

2/3 

1/3 

101 

1/3 

2/3 

110 

1/3 

213 

111 

2/3 

1/3 


Inspecting the results in the Table 4.4, we see that for this SAC hypercube and its associated 
function the probabilities of invariance and change are balanced across the set of input 
vectors. 

Definition 4.18. A generalized Boolean function / e is said to satisfy the global 
avalanche criterion (GAC), if it satisfies the probabilistic strict avalanche criterion of Defi- 
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nition 4.12 and, 


E = /(*)) = 2”/^’ 

xeV„ i=l 

where e/ is a unit veetor with the bit equal to 1 and all other bits 0 . 

Definition 4.19. A generalized Boolean funetion / G is said to satisfy the uniform 
avalanche criterion (UAC), if for all 1 < / < n, 1 < j < q, and x G V„, 

Pr{f{x®ei)=Cj) = 

q 

where cj are distinet elements of and et are unit veetors with the bit equal to 1 and 
all other bits 0 . 


Example 4.20. To further motivate the eoneept of the uniform avalanehe eriterion, we 
display the following quaternary output labeled H 4 , whieh represents a UAC generalized 
Boolean funetion / G SS\. For lueidity’s sake, we again omit the edge labels. 


1011,3 1001,2 



To help the reader verify that for eaeh vertex in the graph, the set of its neighbors take on 
all possible output values (labels) from Z 4 (with equal frequency), we split the graph into 
16 subgraphs, one for each of the 16 vertices in 
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The graph paradigm under which we have been operating makes it easy (at least for small 
examples) to verify that a function satisfies the various avalanche criteria. However, other 
points of reference also have utility. Consider Table 4.5 which depicts the UAC function 
from Example 4.20. 
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Table 4.5: A UAC generalized Boolean function / G 


V4 

/ 

0000 

0 

0001 

2 

0010 

1 

0011 

3 

0100 

3 

0101 

1 

0110 

2 

0111 

0 

1000 

0 

1001 

2 

1010 

1 

1011 

3 

1100 

3 

1101 

1 

1110 

2 

nil 

0 


From the symmetry exhibited in the first and second half of the truth table, it is apparent 
that / also is a concatenation of two correlation immune (order 1) generalized Boolean 
functions (Siegenthaler construction). The fact that this UAC function is 1-resilient (C/(l) 
and balanced) is not a coincidence! Generalized Boolean functions which satisfy the uni¬ 
form avalanche criterion exhibit amazing properties. We will continue to explore these 
properties throughout the remainder of this chapter. 

Theorem 4.21. If a generalized Boolean function in satisfies the uniform avalanche 
criterion, then q = 2 ^, where i <n — I if n odd, or i <n, if n even. 

Proof Let / G be a UAC generalized Boolean function. Let = (¥„,£■) be the 
labeled hypercube corresponding to /, where V„ and E are the respective vertex and edge 
sets of Hn. Let each vertex x G V„ be labeled with an output from Zq. Additionally let 
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Ci G V„ be unit vectors with the bit equal to 1 and all other bits 0. By Definition 4.19, in 
order for / to be UAC, for all / = 1 to n, j = 1 to q, and x G V„, Pr{f{x © et = cj) = I jq. 
Consequently, not only must the number of edges in the graph, namely be divisible 

by q, but the number of graph vertices must also be divisible by q. A hypercube H„ contains 
2” vertices. Hence, the stipulated requirement has been proven. ■ 


4.5 Necessary and Sufficient Conditions for a Generalized 
Strict Avalanche Criterion 

Suppose that we wish to employ two generalized Boolean function /i G and /2 G 

as S-box components of a cryptographic system, as depicted in Figure 4.5. Let 
S be the qi x q 2 S-box (two dimensional array) containing qi rows and q 2 columns of 
binary vector elements of length n. Let x,y G V„ and given x, let /i(x) and / 2 (x) be the 
respective row and column pointers into S, such that /i(x) G and / 2 (x) G and 
g{x) = S[/i(x)][/ 2 (x)] = y, is the function which returns element y located in row /i(x) 
and column / 2 (x) of the S-box. 


/2(x) 


/l(x) — 




T 








y 























S 


Figure 4.1: S-box using generalized Boolean function pointers 


Momentarily considering the ^-ary nature of the S-box pointers, one realizes, that in order 
for the S-box in question to exhibit good cryptographic properties, it is imperative that in 
addition to /i and /2 being PSAC, each of their constituent Boolean functions must also 
be SAC. Regrettably, unlike the situation encountered for correlation immunity, the fact 
that a generalized Boolean function is PSAC does not guarantee that its Boolean function 
components will also be SAC. 

Example 4.22. To see that this is the case, consider the following generalized Boolean 
function / G along with its constituent Boolean functions, uq and a\. 
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/: 



001,1 


0 


000,0 


V3 ap ai f 
000 0 0 0 
001 1 0 1 
010 0 0 0 
on 0 1 2 
100 0 0 0 
101 0 0 0 
110 1 0 1 
111 0 1 2 


a 


a\ : 



001,1 


0 


000,0 


V3 ap 
000 0 
001 1 
010 0 
on 0 

100 0 

101 0 
no 1 
111 0 



001,0 


000,0 


V 3 a\ 

000 0 
001 0 
010 0 
on 1 

100 0 

101 0 
no 0 
111 1 


By inspection we see that 4 of the 12 edges of /’s graph are labeled with I’s. The proba¬ 
bility that two of neighboring vertices agree with respect to their output values (labels) is 
therefore 1/3, so / is PSAC. Likewise, 6 of ao’s 12 edges are labeled with I’s, so it is SAC. 
However, in the case of ai, 8 of its 12 edges are labeled with I’s and it therefore fails to 
satisfy the SAC. 


Proceeding in the opposite direction and building a generalized Boolean function using 
SAC Boolean functions also does not guarantee that the generalized Boolean function will 
be PSAC. We again provide the reader with an example: 

Example 4.23. Start with the following graphs: 
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a 


ai : 



001,1 V 3 a„ 


000,0 


000 0 
001 1 
010 0 
011 0 
100 0 
101 0 
110 1 
111 0 



001,0 V 3 £i[ 


000,0 


000 0 
001 0 
010 1 
oil 0 
100 0 
101 0 
110 0 
111 1 


Of the 12 edges in each of the labeled graphs ao and ai, 6 edges are 1-labeled, hence the 
Boolean functions which they represent are both SAC. We now utilize these functions to 
produce the following generalized Boolean function /(x) = ao(x) -|-2ai(x). 

/: 



001,1 


0 


000,0 


V 3 ap ai f 
000 0 0 0 
001 1 0 1 
010 0 1 2 
011 0 0 0 
100 0 0 0 
101 0 0 0 
110 1 0 1 
111 0 1 2 


The graph / contains 2 1-labeled edges, which means that the probability of two neighbor 
vertices in the graph having the same output label is 2/12 = 1/6. Given the fact that q = 3, 
we conclude that / does not satisfy the PS AC. 

Both of these situations are unfortunate! Webster and Tavares’ notion of a strict avalanche 
criterion was bom out of a desire to build S-boxes with good cryptographic properties. If 
we hope to employ generalized Boolean functions as components of cryptographic algo¬ 
rithms (quantum, perhaps) we must at minimum avoid introducing binary decomposition 
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design weaknesses and thus must ensure that the eonstituent Boolean funetions of a PSAC 
generalized Boolean funetion are all SAC. From a praetieal perspeetive we would also 
like to be able to build PSAC generalized Boolean funetions using SAC Boolean funetion. 
Bearing both eonditions in mind, we formulate the following definition. 

Definition 4.24. Let / e be a generalized Boolean funetion, sueh that for x G V„, 
/(x) = X^^^Q2-^a;(x), Uj e The funetion / is said to satisfy the generalized strict 
avalanche criterion (GSAC) if and only if / satisfies the probabilistie striet avalanehe eri- 
terion and all Boolean funetions aj, 0 <j<k-l, satisfy the striet avalanehe eriterion. 

Lemma 4.25. Let f G be a generalized Boolean function, such that x G V„ and 
k-\ 

/(x) = ^ 2^aj{x), where aj G dSn- If f satisfies the uniform avalanche criterion, then for 
7=0 

all 7 , 0 < 7 < k — 1 , aj satisfies the strict avalanche criterion. 

Proof. Let / G be a UAC generalized Boolean funetion. Let = (Vn^E) be the 
labeled hypereube eorresponding to /, where V„ and E are the respeetive vertex and edge 
sets of Hn. Let eaeh vertex x G be labeled with an output Cm G and let ei G V„ be a 
unit veetor with the bit equal to 1 and all other bits 0. By Definition 4.19, in order for / 
to be UAC, for all / = 1 to n, all m = 1 to q, and every x G V„, Pr{f{x®ei) = Cm) = l/q. 
Sinee Hn is a hypereube, eaeh vertex is of degree n = hq, for some h, I <h <n. Moreover, 
from Theorem 4.21, we know that q = 2^ for £ < n. For eaeh value j, 7 = 0 to k — 1, and 
eaeh vertex x, we relabel Hn by replaeing the output value (label) Cm with the bit of the 
binary expansion of Cm, thus ereating a new labeled hypereube for eaeh Boolean funetion 
aj. Consider further the binary expansion of the set of q distinet output values Cm G Z^. 
Observe that sinee q = 2^, for eaeh 7 this set will eontain an equal number of O’s and 1 ’s. 
If this is not immediately evident, eonsider the faet that eaeh eolumn 7 of is balaneed. 
Sinee / is UAC, for eaeh vertex x in //„, eaeh value q appears with frequeney h in the 
set of neighbor vertiees of x. Therefore, regardless of what value h happens to be for our 
partieular generalized Boolean funetion /, for eaeh Boolean funetion, aj, eaeh vertex x in 
aj will have 2 ^~^ neighbor vertiees with 0 labels and 2 ^~^ neighbor vertiees with 1 labels. 
Henee aj satisfies the uniform avalanehe eriterion and thus is also SAC. ■ 

Lemma 4.26. Let B = {ao, «i, • ‘ ‘ ? ^/t-i} be a set ofk Boolean functions each in n variables. 
If each Boolean function satisfies the uniform avalanche criterion (UAC) and for all j and 
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h, where 0 < i:h,<k — 1 and j 7 ^ h, the pairwise Hamming distance d{aj^ah) = 2" ^ 
then the generalized Boolean function f G constructed using B such that f(x) = 

Y!j2Q2jaj{x), will be such that it also satisfies the uniform avalanche criterion. 


Proof Let B = {ao, ai, • ‘ 1 } be a set of k UAC Boolean functions each in n variables. 
For all j and h, where 0 < j:K< k — 1 and j f h, let each function be such that their 
pairwise Hamming distances satisfy d{aj,ah) = Let / G be the generalized 

Boolean function constructed using B such that /(x) = aj{x). For z = 1 to n, let, 

Lx = {x © g; : X G V„}, be the set of vectors of Hamming distance 1 from x, and denote 
Cx = /(Lx) as the set of output values associated with 14- Consider now the q distinct 
output values G m=\to q. Indexing from j = 0 to A: — 1, let {cmliU) represent the 
bit of the binary expansion of Cm- Each Boolean function is UAC, therefore for all i = 1 
to n, all m = 1 to q, every position j, and all fixed x's, Pr[aj{x®ei) = {cmjiU)) = In 
other words, the number of and are equal for each index j, of the set of vectors Cx. 
Moreover, since the pairwise Hamming distance between all distinct Boolean functions is 
it means that the q output values of Cx will all be distinct elements of Yk- Thus, it 
must be the case that for all x G V„, Pr{f{x © e,) = Cm) = ^lq proving that / is UAC. ■ 

Theorem 4.27. A generalized Boolean function f G fix) = ajix), where 

X G V„ and aj G ^n, is GSAC if f and all functions aj are UAC and for allO < j,h<k — 1, 
such that j f h, the pairwise Hamming distance d{aj,ah) = 2”^^ 


Proof. According to Definition 4.24, a generalized Boolean function / G where 

/(x) = Y)Zo2-’aj{x), satisfies the generalized strict avalanche criterion if and only if / 
satisfies the probabilistic strict avalanche criterion and all Boolean functions aj, j = 0 to 
k — I, satisfy the strict avalanche criterion. 

(^) Let / G be a UAC generalized Boolean function such that x e V„, fix) = 
Lj=o2-^«7(x), and aj G Adn- Then according to Lemma 4.25, all Boolean functions aj 
are SAC. 

(«^) Let B = {ao, , ■ ■ ■ , cik-i} be a set of k Boolean functions, each in n variables and each 
of which also satisfy the uniform avalanche criterion. For all j and h, where 0 <j,h,<k-\ 
and j f h, let the pairwise Hamming distance d{aj,ah) = 2""^ Suppose / G is a 
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generalized Boolean funetion eonstrueted using B sueh that /(x) = Then 

aeeording to Lemma 4.26, / satisfies the uniform avalanehe eriterion. ■ 


Examples of GSAC generalized Boolean funetions abound. The UAC generalized Boolean 
funetion / G which we presented in Example 4.20 satisfied the generalized strict 
avalanche criterion. Below we provide yet another example of a generalized Boolean 
function / G which satisfies the generalized strict avalanche criterion. In this case 
however, the function fails to satisfy the UAC. 

/: 



001,0 


1 


000,0 


V 3 ap ai f 
000 0 0 0 
001 0 0 0 
010 0 1 2 
011 1 0 1 
100 0 0 0 
101 0 1 2 

110 1 1 3 

111 0 1 2 


Observe that 3 of the 12 edges in the graph / are 1-labeled. The probability that any two 
neighbor vertices in the graph have the same output value (label) is therefore 1/4 and the 
function is PSAC. 

cIq . r/ j . 



001,0 V 3 a„ 


000,0 


000 0 
001 0 
010 0 
011 1 
100 0 
101 0 
110 1 
111 0 



001,0 

V3 

ai 


000 

0 


001 

0 


010 

1 

1 

oil 

0 


100 

0 


101 

1 


110 

1 

000,0 

111 

1 
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In ao and ai, 6 of the 12 graph edges in each respective graph are 1-labeled. Thus, the 
probability that any two neighbor vertices in either graph having the same output value 
(label) is therefore 1/2 and both functions are therefore SAC. 


4.6 The Connection between the Uniform Avalanche Cri¬ 
terion and Correlation Immunity 

In Example 4.20 we hinted that a connection existed between a function satisfying the 
uniform avalanche criterion and the fact that it was correlation immune (order 1). We now 
prove this result. 

Theorem 4.28. Generalized Boolean functions f G which satisfy the uniform 

avalanche criterion are 1-resilient (balanced and correlation immune of order 1). 

Proof We proceed by way of contradiction. Let / e be a generalized Boolean func¬ 
tion which satisfies the uniform avalanche criterion. Partition the set of input vectors V„ 
into q sets Xj, where 0<7<^-l, such that for all x G Xj, /(x) = j. Without loss of 
generality consider one of these sets Xj, say for instance Xq. Suppose that there exists at 
least one index k, \ <k <n for which the set of vectors Xq, contain an uneven number 
of O’s and I’s. Let ei denote a unit vector with the bit equal to 1 and all other bits 0. 
The function / is UAC, so for the set of unit vectors, where z = 1 to n and each x G Xq, 
the vectors, x©e,-, each reside in one of the q different sets Xj. Therefore any imbalance 
with respect to the number of O’s and I’s in column k for the vectors of Xq must also result 
in a 0 - 1 imbalance in column k of the vectors contained in each of the q—\ remaining 
sets Xj, where j f 0. Assume that there is a difference of d more O’s than I’s in column 
k of Aq. Since / is UAC, the total disparity of O’s and I’s for all vectors in the remaining 
sets Xj, 1 1 isJ(zz — 1). However, the union = V„. Since the number 

of O’s and I’s is balanced for each column i, z = 1 to zz this cannot occur. We therefore 
conclude that for all indices z = 1 to zz and each set Xj, j = 0 to q — there must be an 
equal number of O’s and I’s. This in turn means that for all j G and every z from 1 to zz, 
Pr{xi = 1 |/(x) = j) = 1 /2, which implies that / is C/( 1). Moreover, / is UAC, so for each 
X, and each Cm G Pr(/(x©e,) = Cm) = ^lq- Thus each output value Cm occurs with 
equal frequency across all x G V„ and / is therefore balanced. ■ 
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Remark 4.29. Theorem 4.28 is important. It not only tells us that a UAC generalized 
Boolean funetion is also C/(l), but given Theorems 3.38 and 4.25, also says that the eon- 
stituent Boolean funetion from whieh / was built are all C/(l) and SAC, thus rendering 
/ resistant to the binary deeomposition attaeks, whieh we previously eonsidered. No- 
tiee, however, that although all generalized Boolean funetions whieh satisfy the uniform 
avalanehe eriterion are eorrelation immune (order 1), not all order-1 eorrelation immune 
generalized Boolean funetions are UAC, or even PSAC, for that matter. 


Example 4.30. To see that this is the ease, eonsider the (order 1) eorrelation immune gener¬ 
alized Boolean funetion / G SS\ in Table 4.6 along with its assoeiated labeled hypereube. 


Table 4.6: A non —UAC C/(l) generalized Boolean function / G ^#.^4 


V4 

/ 

0000 

0 

0001 

3 

0010 

2 

0011 

1 

0100 

1 

0101 

2 

0110 

3 

0111 

0 

1000 

1 

1001 

2 

1010 

3 

1011 

0 

1100 

0 

1101 

3 

1110 

2 

nil 

1 
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Using symmetry as our aid, we clearly see that / is a C/(l) generalized Boolean function. 
However, in this extreme case, none of the 32 edges in the corresponding graph are 1- 
labeled. Thus / not only fails to satisfy the UAC, but also fails to be PSAC. 

Using two UAC compliant generalized Boolean functions in n variables along with Al¬ 
gorithm 7 and the Siegenthaler construction allows us to construct a generalized Boolean 
functions in n -|- 1 variables which is both PSAC and 1-resilient. 

Example 4.31. Using the two UAC generalized Boolean functions in Tables 4.7 and 4.8 
along with Algorithm 7 and the Siegenthaler construction we construct the PSAC and 1- 
resilient function depicted in Table 4.9 and Figure 4.2. 
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Table 4.7: UAC function f\ G ^^=^4 Table 4.8: UAC function /2 G 






Table 4.9: A PMC and 1-resilient generalized Boolean function/i ||/2 =/G =^5 


V 4 

ao 

ai 

ao©ai 

/ 

00000 

0 

0 

0 

0 

00001 

0 

1 

1 

2 

00010 

1 

0 

1 

1 

00011 

1 

1 

0 

3 

00100 

1 

1 

0 

3 

00101 

1 

0 

1 

1 

00110 

0 

1 

1 

2 

00111 

0 

0 

0 

0 

01000 

0 

0 

0 

0 

01001 

0 

1 

1 

2 

01010 

1 

0 

1 

1 

01011 

1 

1 

0 

3 

01100 

1 

1 

0 

3 

01101 

1 

0 

1 

1 

OHIO 

0 

1 

1 

2 

01111 

0 

0 

0 

0 

10000 

0 

0 

0 

0 

10001 

1 

1 

0 

3 

10010 

0 

1 

1 

2 

10011 

1 

0 

1 

1 

10100 

1 

0 

1 

1 

10101 

0 

1 

1 

2 

10110 

1 

1 

0 

3 

10111 

0 

0 

0 

0 

11000 

0 

0 

0 

0 

11001 

1 

1 

0 

3 

11010 

0 

1 

1 

2 

non 

1 

0 

1 

1 

11100 

1 

0 

1 

1 

11101 

0 

1 

1 

2 

lino 

1 

1 

0 

3 

11111 

0 

0 

0 

0 




1011^1 





Figure 4.2: Labeled hypercube corresponding to the generalized Boolean function in Table 4.9 


101 

















4.7 Linear Structures and the Globally Uniform Gradient 

The preceding discourse on strict avalanche criteria prompted us to examine the behavior 
of a generalized function, first across the entire set of input vectors, and later for each 
individual input vector. By proceeding from the "global" to "local" point of view, and along 
the way modifying requirements so as to ensure that output value probabilities remained 
balanced, we were able to devise increasingly well-behaved functions. The pinnacle of our 
analysis thus far has been the set of functions which satisfy the uniform strict avalanche 
criterion. These functions are both 1-resilient and satisfy the generalized strict avalanche 
criterion. However, more remains to be done. 

Recall from Definition 2.16 that, given a generalized Boolean function / G a vector 
a G V„ is called a linear structure if there exists c G such that, for all x G V„, /(x © a) — 
/(x) = c. 

Consider once again the function f\ from Example 4.31. We partition the input vectors Xj, 
7 = 0 to 3, such that = V 4 and for all x G Xj, f\ (x) = j, where j G Z 4 : 


^0 




X2 


^3 

0000 


0010 


0001 


0011 

1000 


1010 


1001 


1011 

0111 


0101 


0110 


0100 

nil 


1101 


1110 


1100 


Let e4 = 1000 and observe that for each set Xj and for all x G Xj, /i(x) = /i(x © e^)- 
Thus, £4 is a linear structure and the output invariance for / is skewed in the direction of 
64 . From a cryptographer’s standpoint this is undesirable! The weakness in /i stems from 
the way it was constructed. Concatenating two identical copies of a generalized Boolean 
function g G will always introduce the linear structure into the newly constructed 
function. While the ease of such a construction may be tempting, it, like so many things in 
cryptography, comes with trade-offs. Consider on the other hand the generalized Boolean 
function in Table 4.10, which also happens to satisfy the UAC. 
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Table 4.10: A UAC function / G ^^ 4 , without e,- as a linear structure 


V 4 

ao 

a\ 

ao©ai 

/ 

0000 

1 

0 

1 

1 

0001 

1 

0 

1 

1 

0010 

1 

1 

0 

3 

0011 

0 

1 

1 

2 

0100 

0 

0 

0 

0 

0101 

1 

1 

0 

3 

0110 

0 

0 

0 

0 

0111 

0 

1 

1 

2 

1000 

0 

1 

1 

2 

1001 

0 

0 

0 

0 

1010 

1 

1 

0 

3 

1011 

0 

0 

0 

0 

1100 

0 

1 

1 

2 

1101 

1 

1 

0 

3 

1110 

1 

0 

1 

1 

nil 

1 

0 

1 

1 


Indexing from right to left and z = 1 to n, let ei be the unit vector with 1 in position 
and 0 everywhere else. Once again, we partition the input vectors Xj, 7 = 0 to 3, such that 
= V4 and for all x G Xj, /(x) = j, where j G Z4. 


2f() 




X2 


^3 

0100 


0000 


0011 


0010 

0110 


0001 


0111 


1010 

1001 


1110 


1000 


0101 

1011 


nil 


1100 


1101 


Using this partition, we subsequently consider which unit vectors result in invariance 
among the output values for /. Doing so we discover the following: 
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• For all w G Xq, /(w) = /(w © ^2) 

• For all X G Xi,/(x) =/(x©ei) 

• For all y G X2, /(y) = /(y © 63 ) 

• For all z G X3 ,/(z) =/(z©e 4). 

This situation is much improved! Now each unit vector is associated with one of the 4 sets 
of the partition. 

A considerable amount of effort has thus far gone into designing generalized Boolean func¬ 
tions / G such that, for each x G V„ and all i from 1 to n, the function ensures that 
for the set of all Hamming distance 1 vectors, / achieves all output values in Zq with equal 
probability. It therefore only seems natural that we also ensure that for each x G V„, the 
probability Pr{f{x) = /(x © e,)) is equal for each of the n unit vectors in /. 

Definition 4.32. Let / G be a generalized Boolean function which satisfies the uni¬ 
form avalanche criterion and let ei denote a unit vector with the bit equal to 1 and all 
other bits 0. The function / is said to possess a globally uniform gradient if for each e,, 
1 <i <n, 

Pr{De,nx)=0) = -, 
n 

where DeJ{x) = fix © ei) — fix), is the derivative of / with respect to the unit vector ei. 
Generalized Boolean functions which satisfy the UAC and have a globally uniform unit 
vector gradient are referred to as Cataract functions. 

Definition 4.33. Let / G be a generalized Boolean function and let Ci denote a unit 
vector with the bit equal to 1 and all other bits 0. Then for all x G V„ and z = 1 to n, we 
define the gradient of /, denoted V fgfx), as follows: 

V/e.(x) = {DeJ{x),DeJ{x), ... ,DeJix)), 

where DgJix) is the derivative of / with respect to the unit vector ei. 

Theorem 4.34. Let f & be a generalized Boolean function which satisfies the uniform 

avalanche criterion. Let x G V„ and denote ei as a unit vector with the bit equal to 1 
and all other bits 0. Then {V/ej.(V„)} = Zq, Vz 1 < z < zz. 
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Proof. Let / G be a generalized Boolean function which satisfies the uniform 

avalanche criterion. Since / is UAC, for / = 1 to n, /(x©e,) when x runs through V„, must 
achieve all values of (with equal frequency). Subtraction in the derivative, DeJ{x), is 
carried modulo q, thus, for each distinct i, /(x © e,) — /(x) is a unique element of Zq. ■ 


Theorem 4.35. Let f G ^ generalized Boolean function. Let x G V„ and denote 

ei as a unit vector with the bit equal to 1 and all other bits 0. If f satisfies the uni¬ 
form avalanche criterion and has a globally uniform gradient, then for all x G and for 

specific i, the set {De;/(x)} contains all elements ofZq in balanced proportions (in other 
words, it is a permutation of the truth table off). 


Proof. Let / G be a generalized Boolean function which satisfies the uniform 

avalanche criterion and which has a globally uniform gradient. The function / has a glob¬ 
ally uniform gradient, thus according to Definition 4.32, for each specific i and unit vector 
ei, there are 2"/n vectors x G V„ for which Dgji's) = 0. However, / is also UAC, so ac¬ 
cording to Theorem 4.34, for each x and all i from 1 to n, {V/g.(x)} = Zq. Thus, in order 
for both conditions to hold, it must be the case that for each specific unit vector, et, and the 
set of all vectors V„, each value Dg.f{x) G Zq occurs with frequency a divisor of 2". ■ 


We can use Theorem 4.35 to evaluate whether or not a generalized Boolean function that 
satisfies the uniform avalanche criterion also has a globally uniform gradient. We demon¬ 
strate the approach using the following example. 


Example 4.36. Suppose we would like to check whether of not the functions /i and /2 
from our previous example each satisfy the uniform avalanche criterion and have globally 
uniform gradients. Using their truth tables, we compute their respective gradients for all 
vectors x G V„. The results from these calculations are displayed in Table 4.11. 
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Table 4.11: Gradients for two UAC generalized Boolean functions /i and /2 


V4 

/l 

h 

V/i..(x) 

V/ 2 ..(x) 

0000 

0 

1 

(2,1,3,0) 

(0,2,3,1) 

0001 

2 

1 

(2,1,3,0) 

(0,1,2,3) 

0010 

1 

3 

(2,3,1,0) 

(3,2,1,0) 

0011 

3 

2 

(2,3,1,0) 

(1,3,0,2) 

0100 

3 

0 

(2,3,1,0) 

(3,0,1,2) 

0101 

1 

3 

(2,3,1,0) 

(1,3,2,0) 

0110 

2 

0 

(2,1,3,0) 

(2,0,3,1) 

0111 

0 

2 

(2,1,3,0) 

(2,1,0,3) 

1000 

0 

2 

(2,1,3,0) 

(2,1,0,3) 

1001 

2 

0 

(2,1,3,0) 

(2,0,3,1) 

1010 

1 

3 

(2,3,1,0) 

(1,3,2,0) 

1011 

3 

0 

(2,3,1,0) 

(3,0,1,2) 

1100 

3 

2 

(2,3,1,0) 

(1,3,0,2) 

1101 

1 

3 

(2,3,1,0) 

(3,2,1,0) 

1110 

2 

1 

(2,1,3,0) 

(0,1,2,3) 

nil 

0 

1 

(2,1,3,0) 

(0,2,3,1) 


Examining the rows of the table, for each vector x, we observe that the gradients for both 
functions contain all values Turning our attention to the columns of each respective 
set of gradients, we moreover observe the following: For each column i from 1 to n, the 
gradient values associated with Ci for /i are not balanced. For example, the values in the 
first column (associated with ei), are all 2. This however is not the case for / 2 . Here we 
see that for each column, i, the ^/-associated derivatives in the set of gradients, all appear 
with equal frequency. We therefore conclude that /i does not posses a uniform gradient, 
whereas /2 does. 
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CHAPTER 5: 

Generalized Bent Boolean Functions 


Mathematics compares the most 
diverse phenomena and discovers the 
secret analogies that unite them. 

Joseph Fourier 


This chapter includes results on generalized bent Boolean functions from the following 
papers: Bent and generalized bent Boolean functions [44], Generalized bent functions and 
their Gray images [28], as well as Partial spread and vectorial generalized bent functions 
[29]. The dissertation author is a coauthor on these papers. The discourse along with all 
results appear in the original form in which they were published in the cited works. 


5.1 Introduction 

The culmination of our investigation into avalanche features for generalized Boolean func¬ 
tions was the development of what we referred to as cataract functions. These functions 
are UAC, free of unit vector linear structures, and contain a global uniform gradient. In this 
section we expand upon the idea of removing linear structures from a generalized Boolean 
function. Meier and Staffelbach [30] investigated a class of Boolean functions which they 
called perfectly nonlinear. We extend here their notion of perfect nonlinear Boolean func¬ 
tions so that it applies to generalized Boolean functions. 

Definition 5.1. A generalized Boolean function /:¥„—)■ is called perfect nonlinear 
with respect to linear structures (perfect nonlinear for short) if for every 0<7< q—l, and 
every nonzero vector a G V„, the equation D^f{x) = /(x © a) — /(x) = j has exactly 2"/^ 
solutions X G Vm (in other words, the derivatives of / at every point a are balanced). 

Remark 5.2. Notice that based on the above definition, in order for a generalized Boolean 
function / G to be perfect nonlinear, q must be such that q = 2^, where 1 < f < n — 1. 
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In their cited paper, Meier and Staffelbach demonstrated that the class of perfect nonlinear 
and bent Boolean functions coincide. 

Generalized bent Boolean function is an active area research. A plethora of papers have 
been written on the topic (see [28], [29], [44] and the references therein). We present here a 
few results contained in the above cited papers which were coauthored by this dissertation 
author. 


5.2 Generalized Bent Boolean Functions 

The material presented in this section was taken directly from the paper Bent and general¬ 
ized bent Boolean functions [44] and appears in its original published form. 

Recall from Chapter 2 that the generalized Walsh-Hadamard transform of / G at any 
point u G V„ is the complex valued function 

xeV„ 


Definition 5.3. [44] A function / G is a generalized bent (gbent) func¬ 
tion if \Jiff{u)\ = 1 for all u G V„. When q = 2, then / is bent (these exist for 
n even, only). If n is odd, a function / G d§n is said to be semibent if and only 
if \Wf{u) I G {0, V2}, for all u G V„. 

Suppose / G is a gbent function such that for every u, we have d^f{u) = 
for some 0 <ku< q- Then, for such a gbent function /, there is a function 
F :Yn ^ '^q such that = JFf. We call such a function F the dual of /. The 
reader is cautioned that only some gbent functions admit duals. By applying 
Theorem 5.4, one can easily see that the dual of a gbent function is also gbent, 
since the Walsh-Hadamard transform of the dual F is e9^(u) = ^ 4 (u) [ 44 ] 

The following properties of the Walsh-Hadamard transform on generalized 
Boolean functions are similar to the Boolean function case [44]. 
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Theorem 5.4. [44] 

(/) Let f G The inverse of the Walsh-Hadamard transform is given by 

^/(y) = 2-i £ ^(u)(-l)‘*-y. 

ueV„ 

Further, ^f^g{u) = ^gj(u), for all u G which implies that '^(u) is 
always real. 

(«) Iff.e e 3'^’, then 

UGV„ 

^/,g(u)= E ^(x)^(x)(-l)“'’'- 

xeV„ 

(///) Taking the particular case f = g we obtain 


•*>(□)= £ |j«>(x)p(-ir’‘ 

xeV„ 

(/v) 7/'/ G / w a gbent function if and only if 


(5.1) 


^/(u) = 


2” ifu = 0, 


0 «/u ^ 0. 

(v) Moreover, the (generalized) Parseval’s identity holds 


£ |^/( x )|2 = 2 ” 

xeV„ 


(5.2) 


Let ^ ^-primitive root of unity, and / : V„ —)■ as in (2.1). It 

turns out that the generalized Walsh-Hadamard spectrum of / can be described 
(albeit, in a complicated manner) in terms of the Walsh-Hadamard spectrum 
of its Boolean components a,- [44]. 
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Theorem 5.5. [44] The Walsh-Hadamard transform of f :Yn ^ '1‘q, 2^ ^ < 
q < 2^, where f(x) = Lf=o ^ is given by 

/C{0,...,/!-l} JCI,KCl 


Proof For brevity, we use the notations := It is easy to see that, for 
5 e Z 2 , we have 


z 


5 


--1--z. 


(5.3) 


and so, we have the identities = f (A, +A'Q), where A,- = 1 + ( —1)“' W, 
— (—1)“'^, and the eomplement 7 := {0,1,... ,/z — 1} \ /, for some sub¬ 
set 7 of {0,1,... ,/z — 1}. The Walsh-Hadamard eoeffieients of / are 


2"/2a^(u) = = £^i:!2o‘«<(’‘)2'(_i)u-x 


£(-i)-n(f2A“'W 

X i=0 ^ 


h-\ 


i=0 


Ei - i )""!! o (1 + (- i )”''"’+(1 - 


= 2-‘£(-l)"- £ f] ^,A'.Aj 

= 2 -^^(- i )“- £ n 

X /C{0,...,/!-!} le/je/ 

= 2^*£(-1)“'* £ ^Eie/2‘ ^ ('_;[y.^l('_;[^L7ey«j(x)elie.?adx) 




= 1 


-h 


^ ^L;6/2' ^ ('_;[y./|^('_;[^u-X('_;^^Lteyuxadx)^ 




JCI,KCI 


and so, we obtain our result. 


5.3 Construction of Generalized Bent Functions in 

The material presented in this seetion was taken directly from the paper Bent and general¬ 
ized bent Boolean functions [44] and appears in its original published form. 
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Theorem 5.6. [44] If f :Yn +2 ^'^ 9 , (n even) is given by 


f{x,y,z) = 4c(x) 4- (4a(x) + 2c(x) + l)j + {4b(x) + 2c(x) + l)z - 2yz, 
where a,b,c E such that all a,b,c, a (Be, b(Bc and a(Bb are bent satisfying 
l¥«(x)^yfc(x) +l^«®c(x)W^toc(x) = -2Wa^b{^)Wc{x))JorallxE V„, (5.4) 
then f is gbent in SS\j^ 2 - 


Proof We compute the Walsh-Hadamard coefficients (using that C = ;^ (1 + 
i) and = i) 

£ ^/(x,y,z)^_;^^u-x©vy®>vz 

(x,y,z)eV „+2 

_ ^ ^4c(x)^_j^^u-x ^ ^(4a(x)+2c(x) + l)>'+(4fc(x)+2c(x)+l)z-2yz^_ 


xeV„ 


(y,z)eV2 


^ (_l)c(x)©u.x A ^ (_l)v^_;^^fl(x)^c(x)^ ^ (_l)W(_l)Mx)^c(x)^ 

r 

J^^fl(x)©tl(x)©c(x)©V©H’ 


xeV, 


/ V 1 I /IWW 

Applying equation (5.3) with (z,^) = (qc(x)), that is, -h 

we obtain 


i-lYC 

2J^f{vi,v,w) = Wc(u) + (Wa©c(u) +W«(u) + zW«©c(u) -iWa(u)) 

+ (W,©,(u) + Wfc(u) + iWz,©,(u) -^W,(u)) + (-l)'^®"'W,©fe(u) 

= Wc(u) + ^^(W«(u) + ^W«©c(u)) 

(- 1 )’^ 

+ ^^(Wfc(u) + ^W,©,(u)) + (-1)'^®-W,©^(u). 


Ill 



Therefore, the real and the imaginary parts of ,^(u, v,w) are 


i?e(e^(U,V, W)) 
/m(e^(u,v, w)) 


lTc(u) + (-ir®"'lTa©ft(u) + 


(-iriTa(u) + (-l)-lT,(u) 




(-irWa©c(u) + (-l)"'lT,©c(u) 


and so, 

4\J^f{u,v,w)\^ = ^ (Wa(u)^ + Wfo(u)^ + Wa®c(u)^+lTfo®c(u)^ + 2Wc(u)^ + 2Wfl®fo(u)^) 

+ (-l)''+"'(W,(u)m(u) + lT,®,(u)W&®,(u) +2W,(u)lTa®^,(u)) 

+ \/2((-l)''(W,(u)W,(u)+m(u)lT,®fe(u)) + (-ir(m(u)lT:(u) + W,(u)lT«®i(u))) 

(5.5) 


Since a,b,c,a ® c,b ® c,a ® b are all bent then |lTa(u)| = |W),(u)| = 
|lTc(u)| = |lTfl©fc(u)| = |lTa©c(u)| = |lT^©c(u)| = 1. Further, from the 
imposed conditions on these functions’ Walsh-Hadamard coefficients, we 
see that lTfl(u)VF^,(u) + lTa©c(u)lTi©c(u) + 2Wc(u)lTfl©^,(u) = 0, and also 
iy«(u)lT,(u) +iy,(u)lT«©^(u) = 0, lT,(u)lT,(u) + lT«(u)lT«©^(u) = 0 (that is 
because if W’a(u) and Wb{u) have the same sign, then Wc{u),Wa®b have op¬ 
posite signs; further, VFa(u) and W),(u) have opposite signs, then Wc(u),fK?©fc 
have the same sign). Using these equations, we get that 4|e^(u,v,w)p = 4, 
and so, / is gbent [44]. 


5.4 Necessary Conditions for Generalized Bent Functions 

The material presented in this section was taken directly from the paper Generalized bent 
functions and their Gray images [28] and appears in its original published form. 


Theorem 5.7. [28] All gbent functions f G are regular, except for n 

odd and k = 2, in which case we have = 1~ (±1 ± /). 
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From the definition of a Boolean bent funetion via the Walsh-Hadamard trans¬ 
form we immediately obtain the following equivalent definition, where we de¬ 
note the support of a Boolean funetion / by supp(/) := {xeV„ : /(x) = l}: 
A Boolean funetion / : V„ —)■ F 2 is bent if and only if for every u G V„ the 
funetion /u(x) := /(x) © u ■ x satisfies |supp(/u) | = 2""^ ± 2”/^. Our next tar¬ 
get is to show an analog deseription for gbent funetions. We use the following 
lemma [28]. 

Lemma 5.8. [28] Let q = 2^, k> I, ^ If pi & Q, 0 < I < q — I and 

PiC^ — ^ rational, then pj = p 2 k-i^j, for I < j < 2^^^ — 1 [28]. 


Proof Sinee for 0 < / < 2* ^ — 1, we ean write every element 

z of the eyelotomie field Q(C) as 

z= £ A/C',AzeQ, 0 </< 2 '^“i-l. 
z=o 

As [Q(C) • Q] = (Pid) = (<p is Euler’s totient funetion), the set 

{1, ..., is a basis of Q(C)- Sinee 

q-l 2 '=-!^! 

0= £p/C'-Z--(pO-p2H-^)+ £ iPj-p2<^-^+j)C‘- 
1=0 1=1 

the assertion of the lemma follows. ■ 


Proposition 5.9. [28] Let n = 2m be even, and for a function /:¥„—)■ 7j2k and 
u e V„, let /u(x) = /(x) + 2^^^(u-x), and let = |x G V„ : /u(x) = j}\, 
0 <7 < 2 ^- 1 . Then f is gbent if and only if for all u G ¥„ there exists an 
integer Pu, 0 < Pu < 2 *~^ — 1 such that 



+Pu 


±2™ and = bf\for0 < j <2^ ^ - 1, iV Pu- 


Proof First suppose that / is gbent. Then by Theorem 5.7, / is a regular gbent 


113 



function. Hence 


2*-l 


^(u)= £ £ ^/W+2'^‘(u-x)_^^(0)= £Z7j“)^2 = 2“C 


xeV„ 


xeV„ 


7=0 


for some 0 < r < 2^ — 1. With pu = r if 0 < r < 2^ ^ — 1, and Pu = r — 2^ ^ 
otherwise, the claim follows from Lemma 5.8. 

The converse statement is verified in a straightforward manner [28]. ■ 


We now can present connections between gbent functions and their compo- 

'yk 

nents for the general case of gbent functions in This generalizes 

the corresponding results for A: = 2 and A: = 3 in [42] and in [44]. 

Theorem 5.10. [28] Let n be even, and let f{x) be a gbent function in ^ , 

k> (uniquely) given as 

/(x) = ai (x) + 2 a 2 (x) H-h 2^~^ak-\{x) + 2^^^afc(x), 

a,- G t^^n, 1 < f < L Then all Boolean functions of the form 

gc(x) = ciai(x) ©C 2 a 2 (x) © • • • ©c^_ia^_i(x) ©a^(x), 
c = (ci,C 2 ,... G are bent functions. 

Proof As in Proposition 5.9, for the gbent function / we denote by /u the func¬ 
tion/u(x) = ai(x)-|-+ 2^~^(a^(x)+u-x) inf^,^^^. Again, 

the integer , 0 < r < 2* — 1, is defined as = | {x G V„ : /u (x) = r} |. By 
Proposition 5.9, for all 0 < r < 2^^^ — 1, except for one element 

Pu G {0,..., 2*^^ — 1} depending on u, for which ^ ^ 

Since it is somewhat easier to follow, we first show the bentness of ak{x) = 
go(x)- In the second step we show the general case. For r f py^, 0 < r < 

2*^^ — 1, consider all x G V„ for which ai(x) H- \-2^^^aj^^\{x) = r. Since 

^r+A-i ^ exactly half of these x we have a,t(x) + u ■ x = 0 (note that 

the number of these x must be even). Among all x G V„ for which ai(x) + 
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-h = Pu, there are b^p] for which ak{x) + u ■ x = 0, and there 

are b^p^^ 2 k-i ~ ^ which afc(x) + u ■ x = 1. Hence for the Walsh- 

Hadamard transform of we get 

Wa,{u) = £ (_l)«dx)©u-x _ 
xeV„ 


which shows that is bent. 

To show that gc is bent for every c G we write /u(x), u G V„, as 

/u(x) =ciai(x)H - hCfc_i2^“V-i(x) + ciai(x)H - hcn2*"^a^_i(x) 

+ 2^^^(a/;(x) +u-x) := h(x) +h(x) +2*”^(afc(x) +u-x), 

where c = c© 1 . Note that every 0 < r < 2 *^^ — 1 in the value set of ai{x) + 

-h 2^"^a;;_2(x) has then a unique representation as h(x) +h(x). Consider x 

for which h(x) + h(x) = r + 5 7^ Pu. Again from we infer that 

for half of those x we have Qki'^) © u ■ x = 0 . Hence also 

gc(x) ©u ■ X = Ciai (x) © • • • © (x) © a/t(x) ©u ■ x = 0 

for exactly half of those x. (Observe that h(xi) = h(x2) = r implies c\ai (xi) © 
• • • © Cfc-iafc-i(xi) = ciai(x2) © • • • © c,t-i«/t-i(x2)-) Similarly as above, 
among all x G V„ for which h(x) + h(x) = Pu, there are b^p^ for which 
a^(x)©u-x = 0, and there are =ho“^±2”/^forwhicha;t(x)©u-x= 1. 

From this we conclude that I{xgV„ : h(x)+ h(x) = p„and/u(x) = 1 }| — |{x G 
Yn : h{x) +h{x) = pMand/u(x) = 0 }| = ± 2 "/^. Therefore 

^gc(u) = £ (-l)^«=W+‘‘-’‘ = ±2"/2, 

xeV„ 


and gc is bent [28]. ■ 

Theorem 5.10, which assigns to a gbent function an affine space of bent func- 

'yk 

tions, provides a necessary condition for a function / G to be gbent. For 

k> 2 the condition is not sufficient [28]. 
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CHAPTER 6: 

Conclusion and Future Research 


Set your course by the stars, not by the 
lights of every passing ship. 

Omar N. Bradley***** 


6.1 Conclusion 

In this dissertation we investigated generalized Boolean funetion whieh were eorrelation 
immune, satisfied various avalanehe features, and whieh were generalized bent. We pre¬ 
sented several eonstruetion teehniques for order 1 and higher eorrelation immune general¬ 
ized Boolean funetions, and also established new avalanehe eriteria for generalized Boolean 
funetions. The goal of this researeh has been to inerease our understanding of the inherent 
attributes of generalized Boolean funetions so that we are eapable of making prudent de¬ 
sign ehoiees when seleeting these funetions as eomponents in future eneryption sehemes. 
Along the way we diseovered several parallels between these funetions and their Boolean 
eounterparts, but oftentimes saw that things beeome more eomplieated when operating in 
a q-dxy environment. In partieular, we showed that while the Wash-Hadamard transform 
is an outstanding tool for establishing whether or not Boolean funetions satisfy certain 
cryptographic properties such as balance and correlation immunity, its utility is somewhat 
diminished in the more generalized setting. One area of concern which we attempted to 
address was the potential of adversaries carrying out what we termed was a “decomposi¬ 
tion attack” whereby they perform a binary expansion of the ^-ary functional outputs in 
an attempt to discover weaknesses in the underlying Boolean function components. We 
showed that correlation immune generalized Boolean functions will not succumb to such 
techniques, but that when it comes to avalanche criteria, more care must be taken. One 
family of generalized Boolean functions which we believe shows particular promise are 
those that satisfy the uniform avalanche criterion. These functions are both probabilistic 
SAC as well as 1-resilient (order 1 correlation immune and balanced). Moreover, their con- 
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stituent Boolean functions are guaranteed to also be resilient and SAC, thus making these 
functions resistant to decomposition attacks targeting these properties. Like many things 
in cryptography, trade-off and compromises abound. While generalized Boolean functions 
will most likely find their rightful place in certain applications, they will equally likely 
prove unsuitable for others. 

6.2 Future Research 

We briefly investigated linear structures and directional derivatives of UAC compliant gen¬ 
eralized Boolean function, demonstrating the utility in ensuring that equal probabilities 
exist among the unit vectors when the generalized Boolean function’s derivatives equals 
zero. It would be interesting in future research to further investigate linear structures of 
generalized Boolean functions, including the Meier and Staffelbach approach of perfect 
nonlinear generalized Boolean functions [30], as well as a notion of almost perfect non¬ 
linear (APN) for generalized Boolean functions. We would also like to find a proof of 
Conjecture 2.26 and thus prove that there can be no symmetric and balanced generalized 
Boolean functions. 
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APPENDIX A: 

Table of Nontrivial Binomial Bisections 


The following table of nontrivial bisection solutions is a copy of the table which appears 
in the coauthored paper Bisecting binomial coefficients which was published in the journal 
Discrete Applied Mathematics [27]. 

The table contains the complete set of nontrivial bisection solution vectors for 
1 < n < 50. In the interest of saving space, we only list the highest lexico¬ 
graphically occurring solutions. Any additional solutions which a listed solu¬ 
tion may yield, can be generated in the following manner: If a pair of bits are 
equidistant from the center of the given vector and differ, they may both be 
negated to produce a new solution. Additionally, any solution vector can also 
be reversed and negated in its entirety to produce yet another solution [27]. 


119 




Table A.l: Nontrivial binomial bisections 


n 

number of solutions 

nontrivial solution vectors 

8 

4 

100110001 

13 

16 

11110011001000 

14 

4 

101001101000101 


8 

101011100100101 

20 

4 

101010011010100010101 

24 

32 

1000110111011000100010001 


16 

1011001111010100101000101 

26 

4 

101010100110101010001010101 

29 

2048 

111111110111011000110010000000 

31 

512 

11110110011111100010101000001000 


128 

11110110010110011001100000001000 

32 

4 

101010101001101010101000101010101 

33 

16384 

1111111111111001101001000000000000 

34 

64 

10101001110110111010000000110010101 


32 

10101001110111101010010000110010101 


16 

10101001111100111010000110110010101 


8 

10101001111101101010010110110010101 


8 

10101010101011011010001010101010101 

35 

8 

101010101010100111001001010101010101 


16 

101010101011100111001000110101010101 

38 

4 

101010101010011010101010100010101010101 


32 

101111110010111110100011100010011011101 

41 

2048 

111111011110101001111000100100001110100000 


4096 

111111011110111001111000100010001110100000 


8192 

111111111111001010111001000100100010100000 


16384 

111111111111011010111001000010100010100000 

44 

4 

101010101010100110101010101010001010101010101 


128 

101011111000111111110110000011011000110110101 

47 

1048576 

111111111111110100111111000001000000100000000000 

48 

4096 

1011001111011011010111010101000000000001000000101 

50 

4 

101010101010101001101010101010101000101010101010101 
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APPENDIX B: 
Binomial Bisection Program 


The following parallel computer program written in Julia was created by the dissertation 
author to exhaustively search for all nontrivial bisection solutions. The code was run on the 
Hamming high performance computer (HPC) at the Naval Postgraduate School, and found 
all nontrivial binomial bisections for n < 51 (see Appendix A.l). In addition to the cited 
paper, these research results also contributed to the integer sequence, for 37 < n < 51 , of 
the total number of binomial bisection (trivial and nontrivial) which appears as A 200147 in 
the Online Encyclopedia of Integer Sequences. 

using MPI 

function bisect(n, q, p, r) 

# typealias BInt_t UIntS 

# typealias BInt_t UIntl6 

# typealias BInt_t UInt32 
typealias BInt_t UInt64 

# typealias BInt_t UIntl28 


©assert 

Bint. 

.t 

!= UIntS 

1 1 n 

< 

8 

©assert 

Bint. 

.t 

!= UIntl6 

1 1 n 

< 

16 

©assert 

Bint. 

.t 

!= UInt32 

1 1 n 

< 

32 

©assert 

Bint. 

.t 

!= UInt64 

1 1 n 

< 

64 

©assert 

Bint. 

.t 

!= UIntl28 

1 1 n 

< 

128 


comm = MPI.CDMM_WORLX) 
root = 0 

rank = MPI. Comm_rank(comm) 
size = MPI. Comm_size(comm) 
const procs = q 
const pgms = p 
const pgm_inst = r 
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const stride :: BInt_t = Int (2n + 1)/( procs *pgms )) 
#Set target value 

const bisect_sum = BInt_t (2)^(n —1) 

#Set vector center 

const center = div(n + l,2) 

#Set lower Hamming weight boundry 
if n <=4 

lwr_wt = 0 
elseif 4 < n <= 6 
lwr_wt = 2 
elseif 7 <= n <= 8 
lwr_wt = 3 
elseif 8 < n <= 10 
lwr_wt = 4 
elseif 10 < n <=12 
lwr_wt = 5 

else 

m= Int(cei1(log(2,n))) 

lwr_wt = Int ( ceil (log (2 ,m))) + m 

end 

#Set upper Hamming weight boundry 
if n <=4 

upr_wt = n+1 

else 

upr_wt = n—lwr_wt + l 

end 

#Create binary coefficients array 

bin_coef = Array ( BInt_t , n+1) 
for j = l:n+l 
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@inbounds bin_coef[j] = binomial ( big (n) ,j—1) 

end 

#Initialize solution containers 
solns = [] 
count = 0 


function gather(obj, root:: Integer, comm :: MPI. Comm) 

buf = Array (typeof ( obj ) , MPI. Comm_size (comm)) 


else 


C omm_r ank (comm) 

!= root) 

MPI. send ( obj , 

root , 666, comm) 

for r = 0:MPI. 

Comm_size (comm) — 1 

if r ! 

= root 


rmesg = MPI.recv(r, 
buf[r + l] = rmesg[l] 

else 

buf[r + l] = obj 

end 


end 



end 


buf 

end 


#Test for symmetry 
function sym_test(f) 
i = 1 

@inbounds while i <= center 

if f[i] != f[n+2-i] 
return 0 
break 

else 

i += 1 

end 
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end 


return 1 

end 

#Eliminate veetors 
funetion test(f) 

issym = true 

j=l 

while j <= eenter 

if f[j] == 1 && f[n+2 
return 0 

elseif issym && f[j] 
issym = false 
end 

j += 1 

end 

if issym && f[l] == 1 
return 0 
end 

return 1 
end 

#Generate solution veetors 
funetion gen_sol(f) 
if sym_test(f) == 1 
eount += 2 
else 

j = 0 

for i = l:eenter 

if f[i] != 

j + 

end 

end 

eount += 2^j 


-j] == 0 

!= f[n+2-j] 


f[n+2—i] 
= 1 
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end 

end 

#Cheek eandidate veetors 
f = zeros( BInt_t ,n + 1); 

BInt_zero = Blnt_t(0) 

BInt_one = BInt_t(l) 

start :: BInt_t = pgm_inst *( proes * s t r i de ) + (rank* stride ) + 1 
stop::BInt_t = (start + stride) — 1 

for s = start : stop 
sum_f = BInt_zero 
for i = l:n+l 

tmp = s & BInt_one 
s = s » 1 
f[i] = tmp 
sum_f += tmp 
if sum_f >= upr_wt 
break 

end 

end 

if lwr_wt < sum_f < upr_wt 
if test(f) == 1 

my_sum = Blnt_t(0) 
for k = l:n+l 
if f[k] == 1 

my_sum += bin_eoef[k] 

end 

if my_sum > biseet_sum 
break 

end 

end 
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if bisect_sum == my_sum 
p ri n tin (round (Int ,f)) 
gen_sol(f) 

end 

end 

end 

end 

geount = g ather (eount , root, eomm) 
i f ( rank == root) 

num_sol = sum( geount) 

println("N = ",n, " Seetion = ",pgm_inst, Number of Biseetions 
num_sol) 

end 

end 

let 

MPI. Init 0 
n = 51 
q = 64 
p = 64 
r = 53 

if (MPIXomm_rank(MPI.a)MM_WCMr)) == 0) 
tie 0 
end 

biseet(n, q, p, r) 

if (MPIXomm_rank(MPI.CDMM_WCMr)) == 0) 
toe 0 
end 

MPI. Finalize () 
end 
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APPENDIX C: 

Some Linear Orthogonal Arrays for Higher Order 
Correlation Immune Generalized Boolean Function 

Constructions 


The following (incomplete) list of linear orthogonal arrays which are suitable for construct¬ 
ing higher order correlation immune generalized Boolean functions using the method out¬ 
lined in Algorithm 4 , have been compiled using data from Hedayat, Sloane and Stufken’s 
book on orthogonal arrays [ 19 ] as well as the Sloan online database of orthogonal ar¬ 
rays [ 41 ]. 


OA(8,5,2,2): 

OA(8,7,2,2): 

OA(16,8,2,3): 

OA(16,8,2,3): 

00000 

0000000 

00000000 

00000000 

10011 

1010101 

01010101 

00101110 

01010 

0110011 

00110011 

01010110 

00101 

1100110 

01100110 

01111000 

11001 

0001111 

00001111 

10011010 

10110 

1011010 

01011010 

10110100 

01111 

0111100 

00111100 

11001100 

11100 

1101001 

01101001 

11100010 



11111111 

11111111 



10101010 

11010001 



11001100 

10101001 



10011001 

10000111 



11110000 

01100101 



10100101 

01001011 



11000011 

00110011 



10010110 

00011101 
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OA(128,9,2,5): 


000000000 

010000010 

110000001 

100000011 

111000000 

101000010 

001000001 

011000011 

100100000 

110100010 

010100001 

000100011 

011100000 

001100010 

101100001 

111100011 

010010000 

000010010 

100010001 

110010011 

101010000 

111010010 

011010001 

001010011 

110110000 

100110010 

000110001 

010110011 

001110000 

011110010 

111110001 

101110011 

110001000 

100001010 

000001001 

010001011 

001001000 

011001010 

111001001 

101001011 

010101000 

000101010 

100101001 

110101011 

101101000 

111101010 

011101001 

001101011 

100011000 

110011010 

010011001 

000011011 

011011000 

001011010 

101011001 

111011011 

000111000 

010111010 

110111001 

100111011 

111111000 

101111010 

001111001 

011111011 

100000100 

110000110 

010000101 

000000111 

011000100 

001000110 

101000101 

111000111 

000100100 

010100110 

110100101 

100100111 

111100100 

101100110 

001100101 

011100111 

110010100 

100010110 

000010101 

010010111 

001010100 

011010110 

111010101 

101010111 

010110100 

000110110 

100110101 

110110111 

101110100 

111110110 

011110101 

001110111 

010001100 

000001110 

100001101 

110001111 

101001100 

111001110 

011001101 

001001111 

110101100 

100101110 

000101101 

010101111 

001101100 

011101110 

111101101 

101101111 

000011100 

010011110 

110011101 

100011111 

111011100 

101011110 

001011101 

011011111 

100111100 

110111110 

010111101 

000111111 

011111100 

001111110 

101111101 

111111111 
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OA(16,15,2,2): 

000000000000000 

101010101010101 

011001100110011 

110011001100110 

000111100001111 

101101001011010 

011110000111100 

110100101101001 

000000011111111 

101010110101010 

011001111001100 

110011010011001 

000111111110000 

101101010100101 

011110011000011 

110100110010110 


OA(16,15,2,2): 

000000000000000 

101010101010101 

011001100110011 

110011001100110 

000111100001111 

101101001011010 

011110000111100 

110100101101001 

000000011111111 

101011010101001 

011001111001100 

110010110011010 

000111111110000 

101100110100110 

011110011000011 

110101010010101 


OA(16,15,2,2): 

000000000000000 
101010101010101 
011001100110011 
110011001100110 
000111100001111 
101101001011010 
011110000111100 
110100101101001 
000000011111111 
000111111110000 
011010111001010 
011101011000101 
101011010101001 
101100110100110 
110001110011100 
110110010010011 
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OA(16,15,2,2): 

OA(16,15,2,2): 

OA(32,16,2,3): 

000000000000000 

000000000000000 

0000000000000000 

101010101010101 

101010100001111 

0101010101010101 

011001100110011 

011001100110011 

0011001100110011 

110011001100110 

110011001010101 

0110011001100110 

000111100001111 

000111100111100 

0000111100001111 

101101001011010 

101101001100110 

0101101001011010 

011110000111100 

011110001101001 

0011110000111100 

110100101101001 

110100101011010 

0110100101101001 

000000011111111 

000000011111111 

0000000011111111 

001011111101000 

101010111110000 

0101010110101010 

010111011010001 

011001111001100 

0011001111001100 

011100111000110 

110011010101010 

0110011010011001 

100101110110100 

000111111000011 

0000111111110000 

101110010100011 

101101010011001 

0101101010100101 

110010110011010 

011110010010110 

0011110011000011 

111001010001101 

110100110100101 

0110100110010110 


1111111111111111 

1010101010101010 

1100110011001100 

1001100110011001 

1111000011110000 

1010010110100101 

1100001111000011 

1001011010010110 

1111111100000000 

1010101001010101 

1100110000110011 

1001100101100110 

1111000000001111 

1010010101011010 

1100001100111100 

1001011001101001 
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OA(32,16,2,3): 
0000000000000000 
0101010101010101 
0011001100110011 
0110011001100110 
0000111100001111 
0101101001011010 
0011110000111100 
0110100101101001 
0000000011111111 
0101011010101001 
0011001111001100 
0110010110011010 
0000111111110000 
0101100110100110 
0011110011000011 
0110101010010101 
1111111111111111 
1010101010101010 
1100110011001100 
1001100110011001 
1111000011110000 
1010010110100101 
1100001111000011 
1001011010010110 
1111111100000000 
1010100101010110 
1100110000110011 
1001101001100101 
1111000000001111 
1010011001011001 
1100001100111100 
1001010101101010 


OA(32,16,2,3): 
0000000000000000 
0101010101010101 
0011001100110011 
0110011001100110 
0000111100001111 
0101101001011010 
0011110000111100 
0110100101101001 
0000000011111111 
0000111111110000 
0011010111001010 
0011101011000101 
0101011010101001 
0101100110100110 
0110001110011100 
0110110010010011 
1111111111111111 
1010101010101010 
1100110011001100 
1001100110011001 
1111000011110000 
1010010110100101 
1100001111000011 
1001011010010110 
1111111100000000 
1111000000001111 
1100101000110101 
1100010100111010 
1010100101010110 
1010011001011001 
1001110001100011 
1001001101101100 


OA(32,16,2,3): 

0000000000000000 

0101010101010101 

0011001100110011 

0110011001100110 

0000111100001111 

0101101001011010 

0011110000111100 

0110100101101001 

0000000011111111 

0001011111101000 

0010111011010001 

0011100111000110 

0100101110110100 

0101110010100011 

0110010110011010 

0111001010001101 

1111111111111111 

1010101010101010 

1100110011001100 

1001100110011001 

1111000011110000 

1010010110100101 

1100001111000011 

1001011010010110 

1111111100000000 

1110100000010111 

1101000100101110 

1100011000111001 

1011010001001011 

1010001101011100 

1001101001100101 

1000110101110010 
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OA(32,16,2,3): 
0000000000000000 
0101010100001111 
0011001100110011 
0110011001010101 
0000111100111100 
0101101001100110 
0011110001101001 
0110100101011010 
0000000011111111 
0101010111110000 
0011001111001100 
0110011010101010 
0000111111000011 
0101101010011001 
0011110010010110 
0110100110100101 
1111111111111111 
1010101011110000 
1100110011001100 
1001100110101010 
1111000011000011 
1010010110011001 
1100001110010110 
1001011010100101 
1111111100000000 
1010101000001111 
1100110000110011 
1001100101010101 
1111000000111100 
1010010101100110 
1100001101101001 
1001011001011010 
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OA(64,32,2,3): 

00000000000000000000000000000000 
01010101010101010101010101010101 
00110011001100110011001100110011 
01100110011001100110011001100110 
00001111000011110000111100001111 
01011010010110100101101001011010 
00111100001111000011110000111100 
01101001011010010110100101101001 
00000000111111110000000011111111 
01010101101010100101010110101010 
00110011110011000011001111001100 
01100110100110010110011010011001 
00001111111100000000111111110000 
01011010101001010101101010100101 
00111100110000110011110011000011 
01101001100101100110100110010110 
00000000000000001111111111111111 
01010101010101011010101010101010 
00110011001100111100110011001100 
01100110011001101001100110011001 
00001111000011111111000011110000 
01011010010110101010010110100101 
00111100001111001100001111000011 
01101001011010011001011010010110 
00000000111111111111111100000000 
01010101101010101010101001010101 
00110011110011001100110000110011 
01100110100110011001100101100110 
00001111111100001111000000001111 
01011010101001011010010101011010 
00111100110000111100001100111100 
01101001100101101001011001101001 


11111111111111111111111111111111 
10101010101010101010101010101010 
11001100110011001100110011001100 
10011001100110011001100110011001 
11110000111100001111000011110000 
10100101101001011010010110100101 
11000011110000111100001111000011 
10010110100101101001011010010110 
11111111000000001111111100000000 
10101010010101011010101001010101 
11001100001100111100110000110011 
10011001011001101001100101100110 
11110000000011111111000000001111 
10100101010110101010010101011010 
11000011001111001100001100111100 
10010110011010011001011001101001 
11111111111111110000000000000000 
10101010101010100101010101010101 
11001100110011000011001100110011 
10011001100110010110011001100110 
11110000111100000000111100001111 
10100101101001010101101001011010 
11000011110000110011110000111100 
10010110100101100110100101101001 
11111111000000000000000011111111 
10101010010101010101010110101010 
11001100001100110011001111001100 
10011001011001100110011010011001 
11110000000011110000111111110000 
10100101010110100101101010100101 
11000011001111000011110011000011 
10010110011010010110100110010110 
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OA(64,32,2,3): 

00000000000000000000000000000000 
01010101010101010101010101010101 
00110011001100110011001100110011 
01100110011001100110011001100110 
00001111000011110000111100001111 
01011010010110100101101001011010 
00111100001111000011110000111100 
01101001011010010110100101101001 
00000000111111110000000011111111 
01010110101010010101011010101001 
00110011110011000011001111001100 
01100101100110100110010110011010 
00001111111100000000111111110000 
01011001101001100101100110100110 
00111100110000110011110011000011 
01101010100101010110101010010101 
00000000000000001111111111111111 
01010101010101011010101010101010 
00110011001100111100110011001100 
01100110011001101001100110011001 
00001111000011111111000011110000 
01011010010110101010010110100101 
00111100001111001100001111000011 
01101001011010011001011010010110 
00000000111111111111111100000000 
01010110101010011010100101010110 
00110011110011001100110000110011 
01100101100110101001101001100101 
00001111111100001111000000001111 
01011001101001101010011001011001 
00111100110000111100001100111100 
01101010100101011001010101101010 


11111111111111111111111111111111 
10101010101010101010101010101010 
11001100110011001100110011001100 
10011001100110011001100110011001 
11110000111100001111000011110000 
10100101101001011010010110100101 
11000011110000111100001111000011 
10010110100101101001011010010110 
11111111000000001111111100000000 
10101001010101101010100101010110 
11001100001100111100110000110011 
10011010011001011001101001100101 
11110000000011111111000000001111 
10100110010110011010011001011001 
11000011001111001100001100111100 
10010101011010101001010101101010 
11111111111111110000000000000000 
10101010101010100101010101010101 
11001100110011000011001100110011 
10011001100110010110011001100110 
11110000111100000000111100001111 
10100101101001010101101001011010 
11000011110000110011110000111100 
10010110100101100110100101101001 
11111111000000000000000011111111 
10101001010101100101011010101001 
11001100001100110011001111001100 
10011010011001010110010110011010 
11110000000011110000111111110000 
10100110010110010101100110100110 
11000011001111000011110011000011 
10010101011010100110101010010101 
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OA(64,32,2,3): 

00000000000000000000000000000000 
01010101010101010101010101010101 
00110011001100110011001100110011 
01100110011001100110011001100110 
00001111000011110000111100001111 
01011010010110100101101001011010 
00111100001111000011110000111100 
01101001011010010110100101101001 
00000000111111110000000011111111 
00001111111100000000111111110000 
00110101110010100011010111001010 
00111010110001010011101011000101 
01010110101010010101011010101001 
01011001101001100101100110100110 
01100011100111000110001110011100 
01101100100100110110110010010011 
00000000000000001111111111111111 
01010101010101011010101010101010 
00110011001100111100110011001100 
01100110011001101001100110011001 
00001111000011111111000011110000 
01011010010110101010010110100101 
00111100001111001100001111000011 
01101001011010011001011010010110 
00000000111111111111111100000000 
00001111111100001111000000001111 
00110101110010101100101000110101 
00111010110001011100010100111010 
01010110101010011010100101010110 
01011001101001101010011001011001 
01100011100111001001110001100011 
01101100100100111001001101101100 


11111111111111111111111111111111 
10101010101010101010101010101010 
11001100110011001100110011001100 
10011001100110011001100110011001 
11110000111100001111000011110000 
10100101101001011010010110100101 
11000011110000111100001111000011 
10010110100101101001011010010110 
11111111000000001111111100000000 
11110000000011111111000000001111 
11001010001101011100101000110101 
11000101001110101100010100111010 
10101001010101101010100101010110 
10100110010110011010011001011001 
10011100011000111001110001100011 
10010011011011001001001101101100 
11111111111111110000000000000000 
10101010101010100101010101010101 
11001100110011000011001100110011 
10011001100110010110011001100110 
11110000111100000000111100001111 
10100101101001010101101001011010 
11000011110000110011110000111100 
10010110100101100110100101101001 
11111111000000000000000011111111 
11110000000011110000111111110000 
11001010001101010011010111001010 
11000101001110100011101011000101 
10101001010101100101011010101001 
10100110010110010101100110100110 
10011100011000110110001110011100 
10010011011011000110110010010011 
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OA(64,32,2,3): 

00000000000000000000000000000000 
01010101010101010101010101010101 
00110011001100110011001100110011 
01100110011001100110011001100110 
00001111000011110000111100001111 
01011010010110100101101001011010 
00111100001111000011110000111100 
01101001011010010110100101101001 
00000000111111110000000011111111 
00010111111010000001011111101000 
00101110110100010010111011010001 
00111001110001100011100111000110 
01001011101101000100101110110100 
01011100101000110101110010100011 
01100101100110100110010110011010 
01110010100011010111001010001101 
00000000000000001111111111111111 
01010101010101011010101010101010 
00110011001100111100110011001100 
01100110011001101001100110011001 
00001111000011111111000011110000 
01011010010110101010010110100101 
00111100001111001100001111000011 
01101001011010011001011010010110 
00000000111111111111111100000000 
00010111111010001110100000010111 
00101110110100011101000100101110 
00111001110001101100011000111001 
01001011101101001011010001001011 
01011100101000111010001101011100 
01100101100110101001101001100101 
01110010100011011000110101110010 


11111111111111111111111111111111 
10101010101010101010101010101010 
11001100110011001100110011001100 
10011001100110011001100110011001 
11110000111100001111000011110000 
10100101101001011010010110100101 
11000011110000111100001111000011 
10010110100101101001011010010110 
11111111000000001111111100000000 
11101000000101111110100000010111 
11010001001011101101000100101110 
11000110001110011100011000111001 
10110100010010111011010001001011 
10100011010111001010001101011100 
10011010011001011001101001100101 
10001101011100101000110101110010 
11111111111111110000000000000000 
10101010101010100101010101010101 
11001100110011000011001100110011 
10011001100110010110011001100110 
11110000111100000000111100001111 
10100101101001010101101001011010 
11000011110000110011110000111100 
10010110100101100110100101101001 
11111111000000000000000011111111 
11101000000101110001011111101000 
11010001001011100010111011010001 
11000110001110010011100111000110 
10110100010010110100101110110100 
10100011010111000101110010100011 
10011010011001010110010110011010 
10001101011100100111001010001101 
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